Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / January 2006

Tip: Looking for answers? Try searching our database.

how to process authentication and authorization

Thread view: 
Enable EMail AlertsStart New Thread
John_Woo - 20 Jan 2006 11:36 GMT
Hi,

for a web-app login checking, it's said the right-way is to process
authentication then to process authorization.

I'm wondering:

1. Does it mean it needs to connect database twice, each of which for
one of these two processings?

2. Does the table structure look like

name    passwd  role

if this is correct, then one connection can provide with role/passwd
info, so why we can't have one process to check and verify user/passwd
instead of two?

3. in Tomcat, tomcat-user.xml is the configuration for
user/passwd/role, is that secured to put  these info in a file instead
of putting in DB?

Can any one clarify?

--
Thanks lots
John
Toronto
Reply to this Message
Raymond DeCampo - 22 Jan 2006 21:51 GMT
> Hi,
>
[quoted text clipped - 5 lines]
> 1. Does it mean it needs to connect database twice, each of which for
> one of these two processings?

That depends.  More below.

> 2. Does the table structure look like
>
[quoted text clipped - 3 lines]
> info, so why we can't have one process to check and verify user/passwd
> instead of two?

Don't confuse the needs of the business logic layer (or middle tier)
with the needs of the back end database.  Make your database in a manner
that allows for efficient usage.  You should have an abstraction layer
between the business logic and the database (e.g. DAO, EJB, hibernate,
etc.).  It can worry about whether it needs to go to the database again
or if it has cached the information.  Then your middle tier just asks
for the data it needs, when it needs it.

> 3. in Tomcat, tomcat-user.xml is the configuration for
> user/passwd/role, is that secured to put  these info in a file instead
> of putting in DB?

As secure as your file system which may or may not be as secure as your
database.  But much less convenient to change programatically.

HTH,
Ray

Signature

This signature intentionally left blank.

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.