Jamie Popkin <[email protected]> schrieb:
> I'm glad to see you're working on porting the authentication to Spring.
>
> I had similar concerns. That's why I moved to a CGI script doing a local
> request. The credentials are passed through a http://localhost:8080 call...
> ie. nothing is passed over the internet. I let another (MD5 protected) form
> based authentication handle the user's initial login.
Note that just hashing passwords via MD5 doesn't provide good security,
either. If that kind of snake-oil provides a false feeling of security,
it actually does more harm than good.
Instead, you need HMAC for authentication (which uses MD5 or SHA1 as
building block, but does more).
Also, note that there's already a standard for that kind of authentication,
namely HTTP Digest Auth (not to be confused with HTTP Basic Auth) which
is suitable for secure authentication over unencrypted channels.
> I'd like to move to https in the future. That would be even better I think.
When using HTTPS, you can indeed use HTTP Basic Auth. But even in that
scenario, HTTP Digest Auth has some advantages.
I recommend reading the following Wikipedia articles on that topic:
http://en.wikipedia.org/wiki/HMAC
http://en.wikipedia.org/wiki/Digest_access_authentication
Greets,
Volker
--
Volker Grabsch
---<<(())>>---
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
