Web security solutions for the Tomcat server

1 , overview

In any Web application development, regardless of the size of the small and medium-sized, each developer will encounter some need to protect program data, involving the user's login ID and password. So how is it better to perform the verification method? In fact, there are many ways to achieve this.

The following is a discussion of the implementation of basic (Basic) and form-based (form-based) authentication methods in Tomcat. It provides basic and form-based validation through the Server.xml and Web. xml files.

For forms-based (form-based) authentication, it requires two parameters for the J_security_check form (for form-based) in the login JSP page: J_username and J_password.

The name and password of the user's login can be stored in Tomcat in two forms, one using server.xml? The other can also be stored using the user's own database table.

2 , The roles of various people in the design system

(1) Design ideas

• Unified user Management to implement access policy management systems based on role, coarse-grained (URL-based), and fine-grained (application-based method invocation)

L Hierarchical role-based rights management, unified certificate management and unified resource management

(2) Design objectives

In general, database tables (for complex or LDAP) records the account information, function permissions and data permission information of each system user, which can increase the flexibility of user management and permission setting, and also avoids the situation of multiple users sharing an account.

(3) Advantages

From the user's point of view, login all applications use a unique user name and password (digital certificate) while accessing the system, and only need to log in once (Single sign-on full-network roaming---SSO (sign-on)).

From the manager's point of view, provide a unified, centralized, effective user management.

Web security solutions for the Tomcat server