Here's a simple way to remember the 3 big elements of the web.xml related to security,
<security-constraint> 1) It identifies what resource we are securing...<web-resource-collection> 2) What roles can access the resource...<auth-constraint> 3) How the resource is to be transmitted across the network...<user-data-constraint>
<login-config> 1) It defines what authentication mechanism is to be used...<auth-method>
<security-role> 1) It catalog's any security roles in use by the web application...<role-name>
Hope this helps for newbees! [ April 13, 2007: Message edited by: Jothi Shankar Kumar Sankararaj ]
The reason I posted this is because I never worked with security and it is our deployers who does all this and many times I found it hard to remember all the sub elements and so on. Now after knowing it like the way above, I'm able to remember it always without any error. This will definitely help me in the exam...
If I am not deviating the objective of this post, I would like to know for a form based authentication, How could I authenticate an user from the list of user name and password credentials from the database without using the tomcat users XML file??
I am pretty new to this, so there may be lotz of loop holes even in my question or even the question is itself silly
what you're looking for is either a JDBCRealm or a DataSourceRealm. (Note that the page Satou linked to talks about JspWiki integration with Tomcat, so there's some stuff that wouldn't apply to your web app.)
The Tomcat FAQ has a section on container-based authentication. [ April 15, 2007: Message edited by: Ulf Dittmer ]