RE: Re(2): NT-Apache authorization.....URGENT

Fri, 3 Dec 1999 21:04:06 -0800 

----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files.  Don't make us guess your problem!!!
----------------------------------------------------------------


>
> That is also why the 'handshake' with Internet Explorer does not
> send the password over the line.  If I'm not mistaken it starts with
> some bytes sent from the server to the browser.  The browser appends
> the password and calculates a hash from the total and then only
> that hash is sent to the server.
> This is only applicable to Internet Explorer and does not work with
> Netscape.  Also it is not applicable when you use basic authentication
> with that module
>
> Johan.
The problem (on something now way off topic) is that while the user is logged on the 
hash can be used just like a password. No more
secure than basic authentication except that it (presumeably) expires at some point.

> >
> > Brett,
> >
> > thank for advice....I was considering that too, but am pretty
> > sure that wont
> > happen in this environment (small intranet).
> >
> > You mentioned some decent web sites.......but i see no track
> > of them in your
> > mail......can you (re)send them please?
> >
> > thanks again
> >
> > SeJo
> >
> > ----- Original Message -----
> > From: Brett Knights <[EMAIL PROTECTED]>
> > To: 'Java Apache Users' <[EMAIL PROTECTED]>
> > Sent: Friday, December 03, 1999 3:28 PM
> > Subject: RE: NT-Apache authorization.....URGENT
> >
> >
> > > ----------------------------------------------------------------
> > > BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
> > > WHEN YOU POST, include all relevant version numbers, log files,
> > > and configuration files.  Don't make us guess your problem!!!
> > > ----------------------------------------------------------------
> > >
> > > Whoa!
> > > Think carefully before you start flying your ntlm passwords
> > around the
> > net.
> > > If your concern is BasicAuthentication vs. NTLM I'd highly
> > recommend using
> > SSL.
> > >
> > > When I looked at this I found a few decent web sites that
> > address the
> > topic. Check them out.
> > > Remember if someone captures an Apache password they can
> > still only mess
> > with what is controlled by apache. IF someone captures an
> > > NTLM token for a user that can write to the registry they
> > can mess with
> > your server.
> > >
> > >
> > > ***********************************************************
> > > Brett Knights                             626-432-5767 work
> > > [EMAIL PROTECTED]                 626-355-1017 home
> > > ***********************************************************
> > >
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > > [mailto:[EMAIL PROTECTED]]On Behalf
> > Of Philippe
> > > > Johan 999900280
> > > > Sent: Thursday, December 02, 1999 2:36 AM
> > > > To: SeJo; Java Apache Users
> > > > Subject: Re:NT-Apache authorization.....URGENT
> > > >
> > > >
> > > > ----------------------------------------------------------------
> > > > BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
> > > > WHEN YOU POST, include all relevant version numbers, log files,
> > > > and configuration files.  Don't make us guess your problem!!!
> > > > ----------------------------------------------------------------
> > > >
> > > > SeJo,
> > > >
> > > > concerning authorization, have a look at the module mod_ntlm at
> > > > http://www.ozemail.com.au/~timcostello/mod_ntlm/
> > > > (you can find it also in the modules.apache.org catalog).
> > > >
> > > > Now as to fetch the user name or something else, I think that'll
> > > > depend on the module you use for authentication.
> > > >
> > > > regards,
> > > >
> > > > Johan Philippe
> > > > E&Y Consulting
> > > >
> > > > SeJo:
> > > > ----------------------------------------------------------------
> > > > BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
> > > > WHEN YOU POST, include all relevant version numbers, log files,
> > > > and configuration files.  Don't make us guess your problem!!!
> > > > ----------------------------------------------------------------
> > > >
> > > > Hello,
> > > >
> > > > I am using ApacheWebServer and JServ on NT 4.0 and would like
> > > > to configure
> > > > it (apache) to use the NT passwords for authorization. I
> > > > still didn't find
> > > > the right module for doing so........
> > > >
> > > > But, the most important question is:
> > > >
> > > > How can I fetch the apache user name from the servlet code,
> > > > once the user is
> > > > logged in using the apache authorization (no matter which one
> > > > (files, DB's
> > > > ..NT))?
> > > >
> > > > help,help,help.....
> > > >
> > > >
> > > > SeJo
> > > >
> > > > ------------------------------------------------------------
> > > > Selim Cesic
> > > > Synes N.V.
> > > >
> > > > Email: [EMAIL PROTECTED]
> > > > Home: http://www.synes.com
> > > >
> > > > ------------------------------------------------------------
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > --------------------------------------------------------------
> > > > Please read the FAQ! <http://java.apache.org/faq/>
> > > > To subscribe:        [EMAIL PROTECTED]
> > > > To unsubscribe:      [EMAIL PROTECTED]
> > > > Archives and Other:  <http://java.apache.org/main/mail.html>
> > > > Problems?:           [EMAIL PROTECTED]
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > --------------------------------------------------------------
> > > > Please read the FAQ! <http://java.apache.org/faq/>
> > > > To subscribe:        [EMAIL PROTECTED]
> > > > To unsubscribe:      [EMAIL PROTECTED]
> > > > Archives and Other:  <http://java.apache.org/main/mail.html>
> > > > Problems?:           [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > --------------------------------------------------------------
> > > Please read the FAQ! <http://java.apache.org/faq/>
> > > To subscribe:        [EMAIL PROTECTED]
> > > To unsubscribe:      [EMAIL PROTECTED]
> > > Archives and Other:  <http://java.apache.org/main/mail.html>
> > > Problems?:           [EMAIL PROTECTED]
> > >
> >
> >
> >
> > --
> > --------------------------------------------------------------
> > Please read the FAQ! <http://java.apache.org/faq/>
> > To subscribe:        [EMAIL PROTECTED]
> > To unsubscribe:      [EMAIL PROTECTED]
> > Archives and Other:  <http://java.apache.org/main/mail.html>
> > Problems?:           [EMAIL PROTECTED]
> >
>
>
>
> --
> --------------------------------------------------------------
> Please read the FAQ! <http://java.apache.org/faq/>
> To subscribe:        [EMAIL PROTECTED]
> To unsubscribe:      [EMAIL PROTECTED]
> Archives and Other:  <http://java.apache.org/main/mail.html>
> Problems?:           [EMAIL PROTECTED]
>
>
>
> --
> --------------------------------------------------------------
> Please read the FAQ! <http://java.apache.org/faq/>
> To subscribe:        [EMAIL PROTECTED]
> To unsubscribe:      [EMAIL PROTECTED]
> Archives and Other:  <http://java.apache.org/main/mail.html>
> Problems?:           [EMAIL PROTECTED]
>



--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Archives and Other:  <http://java.apache.org/main/mail.html>
Problems?:           [EMAIL PROTECTED]

Reply via email to