You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stephen Charles Huey <st...@fastmail.fm> on 2004/06/17 22:17:58 UTC
basic authentication or not?
In a nutshell, I'm wondering if it's better NOT to use basic
authentication. We have over 10,000 regular users, and I think it would
be good for us to move to a more standard login page instead of that
authentication box that pops up. My question is, would we have to
change a lot to do this? At the moment, I'm not even sure we're using
basic authentication, and below I will outline my attempt to determine
if we're even using it...
When you type the URL to our website, it pops up an authentication box
before it shows you anything else and you must get past that to get into
the web app. As far as I understand (the original developer is no
longer with us), we are using basic authentication with Tomcat 4.
However, I was perusing this document to figure out where our basic
authentication is configured and it doesn't look like we have all this
stuff:
http://www.jguru.com/faq/view.jsp?EID=1131436
Notable exceptions are any <security-constraint> or <login-config> nodes
in our web.xml, and since the example on the jguru page put BASIC in the
<login-config> node, I'm really not sure that we're using basic
authentication (although that's still my gut feeling).
In our server.xml, I see that both of the following are uncommented, but
I'm guessing that only the second one is being used since I don't think
we have anything (no JNDI) set up for the first one:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase" />
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://127.0.0.1/mainDB" connectionName="user"
connectionPassword="pass" userTable="users" userNameCol="Username"
userCredCol="Password" userRoleTable="roles" roleNameCol="Role" />
Aside the big database used by our web application, we have a small
MySQL database whose sole purpose is to authenticate users. Would it be
just as simple to continue using that for authentication if we moved
away from this "popup box" authentication? Is there any good reason to
have this authentication database outside of our main database? Or is
this somehow protecting our web app more--making you authenticate before
you ever communicate with anything in our site (e.g. a LoginServlet or
something like that).
I know this is long...I appreciate any feedback, though!
Thanks,
Stephen
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: basic authentication or not?
Posted by Stephen Charles Huey <st...@fastmail.fm>.
Duh. I was looking in the general Tomcat web.xml--yes, in my
app-specific one, we're using BASIC authentication.
Ok, so Tomcat knows to use the additional MySQL database for
authentication. Right now, if you go to www.ourDomain.com it'll make
you authenticate and then it will forward you to the default web
application at www.ourDomain.com/DefaultApp/Welcome.jsp, and we have
several web apps and you can cross from one to the other without
authenticating, so you could go up and modify the URL to
www.ourDomain.com/OtherApp/index.jsp and you'd be there instantly.
So my question is, if we changed to form-based authentication so we
could present our look and feel from the start, would it work for
authenticating all the web apps if the login page was under a particular
web app's folder? In other words, where would and could we stick a
Login.jsp that would be presented to the user when you type
www.ourDomain.com?
Thanks so much,
Stephen
----- Original message -----
From: "QM" <qm...@brandxdev.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Date: Thu, 17 Jun 2004 16:04:21 -0500
Subject: Re: basic authentication or not?
(Please, create new messages when mailing the list. Responding to
unrelated messages causes confusion for those of us who use thread-aware
mailers.)
: In a nutshell, I'm wondering if it's better NOT to use basic
: authentication.
My understanding is that FORM vs BASIC is just that the former lets you
create a custom login page that maintains your app's look and feel.
(read: that's all *I* have used it for ;)
: At the moment, I'm not even sure we're using
: basic authentication, and below I will outline my attempt to determine
: if we're even using it...
You mention that there are no <security-constraint> or <login-config>
elements in the web.xml. You're checking the app-specific web.xml in
WEB-INF, and not the general one in the Tomcat install dir? (Sorry to
ask; I have to check.)
Yet, there's a <Real> def in server.xml?
Perhaps auth is being done elsewhere (say, the web server), hence the
<Realm> isn't being used, and is leftover from an earlier configuration.
Unlikely, but worth investigating.
: Aside the big database used by our web application, we have a small
: MySQL database whose sole purpose is to authenticate users. Would it
be
: just as simple to continue using that for authentication if we moved
: away from this "popup box" authentication?
If you move to FORM auth and use JDBCRealm, yes, you should be able to
continue using this database. Provided, of course, the passwords are
hashed in the way JDBCRealm expects.
: Is there any good reason to
: have this authentication database outside of our main database?
One reason is load: separate auth traffic from app traffic. This also
lets you share that single auth DB among several apps, and each app can
have its own database for its data.
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: basic authentication or not?
Posted by Filip Hanik - Dev <de...@hanik.com>.
as long as you authenticate your users in https, to prevent the passwords from travel across the internet unencrypted, you can use
any method.
Filip
----- Original Message -----
From: "QM" <qm...@brandxdev.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, June 17, 2004 4:04 PM
Subject: Re: basic authentication or not?
> (Please, create new messages when mailing the list. Responding to
> unrelated messages causes confusion for those of us who use thread-aware
> mailers.)
>
>
> : In a nutshell, I'm wondering if it's better NOT to use basic
> : authentication.
>
> My understanding is that FORM vs BASIC is just that the former lets you
> create a custom login page that maintains your app's look and feel.
> (read: that's all *I* have used it for ;)
>
>
> : At the moment, I'm not even sure we're using
> : basic authentication, and below I will outline my attempt to determine
> : if we're even using it...
>
> You mention that there are no <security-constraint> or <login-config>
> elements in the web.xml. You're checking the app-specific web.xml in
> WEB-INF, and not the general one in the Tomcat install dir? (Sorry to
> ask; I have to check.)
>
> Yet, there's a <Real> def in server.xml?
>
> Perhaps auth is being done elsewhere (say, the web server), hence the
> <Realm> isn't being used, and is leftover from an earlier configuration.
> Unlikely, but worth investigating.
>
>
> : Aside the big database used by our web application, we have a small
> : MySQL database whose sole purpose is to authenticate users. Would it be
> : just as simple to continue using that for authentication if we moved
> : away from this "popup box" authentication?
>
> If you move to FORM auth and use JDBCRealm, yes, you should be able to
> continue using this database. Provided, of course, the passwords are
> hashed in the way JDBCRealm expects.
>
>
> : Is there any good reason to
> : have this authentication database outside of our main database?
>
> One reason is load: separate auth traffic from app traffic. This also
> lets you share that single auth DB among several apps, and each app can
> have its own database for its data.
>
> -QM
>
>
> --
>
> software -- http://www.brandxdev.net
> tech news -- http://www.RoarNetworX.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: basic authentication or not?
Posted by QM <qm...@brandxdev.net>.
(Please, create new messages when mailing the list. Responding to
unrelated messages causes confusion for those of us who use thread-aware
mailers.)
: In a nutshell, I'm wondering if it's better NOT to use basic
: authentication.
My understanding is that FORM vs BASIC is just that the former lets you
create a custom login page that maintains your app's look and feel.
(read: that's all *I* have used it for ;)
: At the moment, I'm not even sure we're using
: basic authentication, and below I will outline my attempt to determine
: if we're even using it...
You mention that there are no <security-constraint> or <login-config>
elements in the web.xml. You're checking the app-specific web.xml in
WEB-INF, and not the general one in the Tomcat install dir? (Sorry to
ask; I have to check.)
Yet, there's a <Real> def in server.xml?
Perhaps auth is being done elsewhere (say, the web server), hence the
<Realm> isn't being used, and is leftover from an earlier configuration.
Unlikely, but worth investigating.
: Aside the big database used by our web application, we have a small
: MySQL database whose sole purpose is to authenticate users. Would it be
: just as simple to continue using that for authentication if we moved
: away from this "popup box" authentication?
If you move to FORM auth and use JDBCRealm, yes, you should be able to
continue using this database. Provided, of course, the passwords are
hashed in the way JDBCRealm expects.
: Is there any good reason to
: have this authentication database outside of our main database?
One reason is load: separate auth traffic from app traffic. This also
lets you share that single auth DB among several apps, and each app can
have its own database for its data.
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org