File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes web app security authorization question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "web app security authorization question" Watch "web app security authorization question" New topic

web app security authorization question

al langley
Ranch Hand

Joined: Mar 28, 2008
Posts: 35
I've tested and used the tomcat-user.xml file in conjunction with the <security-constraint> tags in DD to limit access to certain pages. Using this method, I've defined username, passwords and roles in the tomcat-user.xml file.

I was wondering how this is handled in bigger applications where it wouldn't be efficient to declare all users and their passwords in a tomcat-user.xml file.

I'm guessing information such as username, passwords, and roles can be kept in a database and not in a xml file.
My question is, how do you tell a container that a user has a certain role if you don't declare it in tomcat-user.xml?

Ben Souther

Joined: Dec 11, 2004
Posts: 13410

I use declarative security for small apps.
For larger things, I usually end up writing my own as the login involves fetching and setting up a lot of things.

You can, with Tomcat create JDBC realms to allow you to use declarative security with a database.
[ May 14, 2008: Message edited by: Ben Souther ]

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
al langley
Ranch Hand

Joined: Mar 28, 2008
Posts: 35
Thanks! much appreciated!
I agree. Here's the link:
subject: web app security authorization question
It's not a secret anymore!