aspose file tools*
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes doubt in security - username and password. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "doubt in security - username and password." Watch "doubt in security - username and password." New topic
Author

doubt in security - username and password.

priya rishi
Ranch Hand

Joined: Oct 26, 2008
Posts: 119
hello,
my doubt is in security,

we are creating roles with user names and passwords in tomcat-users.xml .

as far as roles are concerned, i get it .

what i dont get is , doesn't the user create his username and password ,how come we do it(that is the application developer).

for eg: i want to buy a book from amazon.com , i create all login details(that is the user)

could anyone explain me - what's happening here . one thing is for sure , i am missing something.

thanks.


SCJP 5 , SCWCD 5
Amru Jahagirdar
Ranch Hand

Joined: Sep 16, 2009
Posts: 39
Hi,

As far I know, the tomcat-user.xml file is used merely for the testing purpose.
I mean you use this file to test the different security roles for the web application under development.
Once your web application goes live, it should not use the 'tomcat-user.xml'. Normally a backend database
stores everything usernames & password.

Please correct me if I am wrong.
priya rishi
Ranch Hand

Joined: Oct 26, 2008
Posts: 119
Thanks Amru, you're right.

in HFSJ it says,
in real world you are using a production server that gives you a hook into the LDAP or database where your real user security info is stored.



i would like to do the security with database.
in database if i am having username, password and roles, how will the container hook it up.
any suggestions with how to do it .
Amru Jahagirdar
Ranch Hand

Joined: Sep 16, 2009
Posts: 39
Well, When I worked with such application, what we did was:

Create a module to handle business logic, i.e. to get the user data from DB & match it with the information user provides.
This is the business layer module.

Create a module that handle all communication between backend DB & business layer module.
This is Data Layer module.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42600
    
  65
priya rishi wrote:in database if i am having username, password and roles, how will the container hook it up.

That's where Tomcat realms come into play: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html Either a JDBCRealm or a DataSourceRealm would be a good fit here.

Of course, you still need a way for the user to create the account, so that the web app can store the relevant data in the DB.


Ping & DNS - my free Android networking tools app
priya rishi
Ranch Hand

Joined: Oct 26, 2008
Posts: 119
Thanks Amru, i have tried the concept with MVC , but wrote logic for checking the stored username and password(in DB) with the login details. but authentication is really cool.


Ulf Dittmer wrote:
That's where Tomcat [i]realms[/i| come into play: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html Either a JDBCRealm or a DataSourceRealm would be a good fit here.


Thanks Ulf, could you give me the link to try with IBM WAS.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42600
    
  65
What do you mean by "the link" - link to what? And what does IBM WAS have to do with Tomcat?
priya rishi
Ranch Hand

Joined: Oct 26, 2008
Posts: 119
What do you mean by "the link" - link to what?





Apache Tomcat 6.0 Realm Configuration HOW-TO :

In many cases, however, it is desireable to "connect" a servlet container to some existing authentication database or mechanism that already exists in the production environment. Therefore, Tomcat 6 defines a Java interface (org.apache.catalina.Realm) that can be implemented by "plug in" components to establish this connection.


The above says for Tomcat Server.
I am using RAD and IBM WAS for my applications and i want to try the authentication using Database.
and the link you provided had information related to Tomcat server.
So i would like to get some link for IBM WAS.

when i googled , i got this link -
http://publib.boulder.ibm.com/wasce/V2.1.0/en/database-security-realm.html

thats what i meant by the link.

And what does IBM WAS have to do with Tomcat?


i dont know either.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42600
    
  65
A little hint: Next time you're after information specifically about WAS, you should state that in the question. Instead, you mentioned tomcat-users.xml, and that clearly meant that you're using Tomcat.
priya rishi
Ranch Hand

Joined: Oct 26, 2008
Posts: 119
i meant both, first i had doubt in tomat-users.xml(after it is cleared ) , i wanted to know how to try with WAS.
Christophe Verré
Sheriff

Joined: Nov 24, 2005
Posts: 14688
    
  16

If you have any container specific questions, please ask them in their respective forum. (Tomcat,Weblogic)


[My Blog]
All roads lead to JavaRanch
 
Consider Paul's rocket mass heater.
 
subject: doubt in security - username and password.