2

I am creating simple web application. There is some public data, and managed data. Admin is logging in when performing some actions with private data.

Web application server: Tomcat.

Database server: MySQL.

The question is what is best practice to do login verification.

Should I:

a) login be used with some XML files like web.xml/context.xml, maybe using tomcat-users.xml? In this case I think Tomcat admins can easily manage (add/remove/change pass) users.

b) use MySQL db table like users. But then it is managed by DB admins. And well is it OK, to put users/passwords in some DB? Maybe should they be encrypted.

Maybe there's some other way.

Limitation is if some software is needed, this must be a freeware.

Thanks in advance.

4

1 回答 1

1

第二个选项是要走的路。当然,您需要在数据库中存储散列的密码。当用户登录时,对他输入的密码进行哈希处理,并将其与从数据库中检索到的(已经哈希处理的)密码进行比较,以了解他提供的密码是否正确。

您可以通过添加权限列来跟踪用户表中的权限。添加列 'Add'、'Remove'、'ChangePassword', ... 并将它们设置为 0 或 1 以了解相应用户是否具有执行操作的权限。

于 2013-06-27T21:09:57.750 回答