I just finished reading the chapter on Web App Security in HFSJ.
I will like to know whether new J2EE project actually do specify/use "<security-constraint>" in web.xml file or there are better and newer ways of achieving authentication and authorization.Listing all users and roles in "tomcat-users.xml" seems a bit tacky to me a better approach to me will be to use a database to store users and roles.
Will specify my users and roles in a database make most of the work(authentication and authorization) done by the container using "<security-constraint>" unnecessary?
It seems like the only important tag I may use if I'm to define my users and roles in a database will be "<user-data-constraint>", someone correct me if I'm wrong.
When I use a <login-config> is the user name and password compared with what is in tomcat-users.xml by the container or I have to retrieve these two parameters and do the comparison myself.