2

I'm trying to create a user login page for my jersey webapp on tomcat that behaves like all the other pages on the web. That is, the user sees a nice login page opposed to a popup (like BASIC tomcat authentication) and the passwords are hashed before comparing to the DB entries. Is tomcat authentication the right way to do this?

It seems that I want to use DIGEST authentication for md5 hashing but FORM authentication to get a page rather than a popup. Perhaps there are java libraries to do this instead, and I should simply not use tomcat for this.

fairidox
  • 3,358
  • 2
  • 28
  • 29
  • 1
    There's a similar question with an accepted answer here: http://stackoverflow.com/questions/2902427/user-authentication-on-a-jersey-rest-service – Dan May 20 '11 at 21:01

2 Answers2

3

Check out Apache Shiro or Spring Security.

sourcedelica
  • 23,940
  • 7
  • 66
  • 74
1

When using the form submission approach, BASIC versus DIGEST does not come into play at all since it isn't using HTTP Authentication. It simply sends the user id and password via an HTTP POST as parameters to a URL that is predefined by the Servlet specification, allowing the Servlet container to process them. Security of the data using this method is achieved through the use of SSL.

laz
  • 28,320
  • 5
  • 53
  • 50