Currently I am using tomcat-users.xml and also enabled SSL for login on my local test computer. I can login and logout without problem using a form.
Is there a way to get the tomcat user name which I used to login and display it on the page (ex. something like "Welcome, user")? Also, how can I show a "Logout" link only when a user is logged in using this method?
In a week or two I hope to make a login system using a database instead of the tomcat-users.xml file.
Is there a way to get the tomcat user name which I used to login and display it on the page (ex. something like "Welcome, user")?
The HttpServletRequest.getRemoteUser method gives you that information.
Also, how can I show a "Logout" link only when a user is logged in using this method?
Once you have established that valid credentials have been passed (e.g., by checking that the above-mentioned method returns a valid user name), you can set a boolean request attribute, which the JSP page can check and act on accordingly.
What's being returned from the remote user method?
Just my opinion, but if you're going to be replacing the builtin login with your own database-driven system, I'd not waste too much more time on this. You could have your own system up and running in no time flat.
I'm talking about when you expect it to be empty...
Building your own is fairly simple. Store the username and password (as a one-way hash) in the DB. When the user logs in, hash the entered password and compare it to the stored value. If authentication succeeds, place information in the session stating so. This could be as simple as the user's name, or a more complicated structure with such information as the user's roles and allowed permissions within the application.
A servlet filter can be set up to check for this session "token". Should it not exist, a redirect to the login page prevents the access to the interior of the web app when not logged in.
A logout or session timeout removes the session token.