MD5 protected ?. Do you mean this one http://en.wikipedia.org/wiki/Digest_access_authentication
This is definitively better. Our did you develop your own mechanism ?. If you did, please add a salt to the password before hashing, e. g. calculate md5(password concatenated with username) to prevent dictionary attacks. I plan to make the authentication modules pluggable to avoid "nasty" constructs. About https: The performance penalty depends on the chosen cipher suite between the client and the server. For key establishment asymmetric cyphers are used and they are always expensive. After agreement on the session key, symmetric cyphers are used, e.g. AES --> fast, 3DES --> not so fast. Be aware that serving a lot of GIS data is not the same as an online banking. At the end of the day you have to test in your environment. Cheers Christian Quoting Jamie Popkin <[email protected]>: > Thanks Christian. > I'm glad to see you're working on porting the authentication to Spring. > > I had similar concerns. That's why I moved to a CGI script doing a local > request. The credentials are passed through a http://localhost:8080 call... > ie. nothing is passed over the internet. I let another (MD5 protected) form > based authentication handle the user's initial login. > > I'd like to move to https in the future. That would be even better I think. > > Jamie > > On Wed, Nov 17, 2010 at 2:27 AM, <[email protected]> wrote: > >> But you are aware the Basic Authentication does not encrypt the password. >> The password is base64 encoded which is the same security level as sending >> passwords in plain text. >> >> I am working on such issues, look here >> http://jira.codehaus.org/browse/GEOS-4215 >> >> For the moment I am still waiting for some feedback. >> >> >> >> Quoting Jamie Popkin <[email protected]>: >> >> Thanks Arne. >>> That's good news for me... It means I'm heading in the right direction. :) >>> >>> I believe I have the format of the cookie correct. I'm starting to wonder >>> if >>> the port number :8080 is tripping up the domain setting of the cookie??? >>> That's a shot in the dark though. >>> >>> I'm going to start testing different ways of inserting the cookie into the >>> browser. I'll post back here with my progress. >>> >>> Jamie >>> >>> On Tue, Nov 16, 2010 at 1:30 PM, Arne Kepp <[email protected]> wrote: >>> >>> The trick with the "remember me" cookie should work. >>>> >>>> Note that the value of the cookie starts and ends with a double quote, >>>> and contains ==. Normally these four characters would be URL escaped >>>> (%20, %D3), but then acegi will not accept them. So make sure they're >>>> set exactly like you receive them, I think the cookie is just deleted if >>>> it's rejected. >>>> >>>> Technically, the best practice is probably to write acegi / Spring >>>> Security plugins linked to your frontend application. I found it quite >>>> challenging though. >>>> >>>> -Arne >>>> >>>> >>>> On 11/16/10 10:01 PM, Jamie Popkin wrote: >>>> > I'm trying to access some secured wms services through basic >>>> authentication. >>>> > I figured the most secure way to do this was have a cgi script grab the >>>> > "remember me" authentication cookie through a local curl request. Then >>>> have >>>> > that returned to the user and entered as a cookie. >>>> > >>>> > I've been unsuccessful at getting this to work. Can anyone see a >>>> problem >>>> > with this set-up? >>>> > >>>> > What is the best (and proper) way to authenticate with Geoserver and >>>> then >>>> > access the protected layers. In particular through OpenLayers? It can't >>>> seem >>>> > to find any examples that work. >>>> > >>>> > Thanks in advance. >>>> > Jamie >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>> Spend less time writing and rewriting code and more time creating great >>>> experiences on the web. Be a part of the beta today >>>> http://p.sf.net/sfu/msIE9-sfdev2dev >>>> _______________________________________________ >>>> Geoserver-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>> >>>> >>> >>> >>> -- >>> Jamie Popkin >>> Little Earth >>> 250 390 6816 >>> http://littleearth.ca >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> > > > -- > Jamie Popkin > Little Earth > 250 390 6816 > http://littleearth.ca > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
