I am working on a JSP application running on Linux and Tomcat. My requirements are specifying that I don't use Tomcat security to login and/or placing the password in a flat file on the system. We are wanting to verify the user by trying to login to the Linux system using an account/password setup on the system. The reason for this is to allow the user the ability to change his/her password at a later date and later logins would allow the use of the new password. Does anyone know of a way that I can do this? I want to pass the login information to the OS and attempt to login there. If it passes I will set a flag in the ServletContext to show that a successful login occurred and allow all other accessable web pages/JSPs to be displayed. If not an error screen would be displayed. OS login is also necessary because we plan to allow the user to configure the device via the web application. I realize that passwork incription will also be needed to hide the password from anyone monitoring the data being passed to the device. Any help would be greatly appreciated.
Tomcat comes supplied with 4 different security realm implementations, only one of which is a flat (XML) file. The flat file is only really recommended for "quick-and-dirty" use anyway. More commonly used are the jdbc or JNDI realms. A userid/password stored in a database can be validated in the JDBC realm, and updating the password is just as simple as any other sort of update. On the other hand, if you are running a limited-access server and you're presently using JNDI to manage Linux accounts, you'd probably want to use that facility. If you're REALLY ambitious, you can write your own custom realm class that invokes PAM, but if you want to provide a single signon for both Linux and Web, you should probably be using JNDI.
Customer surveys are for companies who didn't pay proper attention to begin with.