-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/10/2009 5:44 PM, Gregor Schneider wrote:
Mark,
On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas ma...@apache.org wrote:
Ditch FORM auth, use DIGEST.
I'm afraid I don't see how to combine DIGEST with a Login-form - and
that's a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/10/2009 3:24 PM, Caldarale, Charles R wrote:
From: Gregor Schneider [mailto:rc4...@googlemail.com]
Subject: j_security_check SSL
is there any way to achieve encryption for the
Login-process without a valid SSL-cert?
Note
Hi guys. I'm following this loosely, along with some other threads.
There is another one going on right now which also talks about
authentication, hijacking JSESSIONID etc..
Gregor, what is not very clear to me, and maybe you want to do a wrapup,
is what exactly you are - and are not - trying
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 3/13/2009 10:38 AM, André Warnier wrote:
Unless I am mistaken, I don't think that using HTTPS in order to protect
the user-id/password from eavesdropping by some miscreant, you
necessarily have to have a Verisign certificate for each
Chris,
On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
Just to be clear, it's the session creation that is sensitive to SSL,
not the actual login (authentication step). If your session exists and
is visible to non-secure communications before
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 11:42 AM, Gregor Schneider wrote:
So would following scenario work?
- login using form-based login via https
- when successful:
HttpSession session = request.getSession();
// guess that shoudln't happen
if
Hi André,
first: Please forgive me my late answer also to your PM, however, I
was really busy here so that I didn't find any time to answer in an
appropriate (aka detailed) manner.
So here we go:
Customers
When talking about customers, I'm actually talking about our staff
from
Chris,
On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 11:42 AM, Gregor Schneider wrote:
So would following scenario work?
- login using form-based login via https
- when
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 1:58 PM, Gregor Schneider wrote:
So will I then be able to access the HttpSession-object created when
inside HTTPS (login-page) when I'm querying it from within a JSP
served via plain HTTP?
No, the session will be created in
And another one:
AFAIK, when using Form-based Authentication, the parameters for
j_security_check are send in a readable manner over the wire, thus
prone for an attack.
Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
However, that means that one has to buy one of
Gregor Schneider wrote:
And another one:
AFAIK, when using Form-based Authentication, the parameters for
j_security_check are send in a readable manner over the wire, thus
prone for an attack.
Correct.
Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
Correct.
From: Gregor Schneider [mailto:rc4...@googlemail.com]
Subject: j_security_check SSL
is there any way to achieve encryption for the
Login-process without a valid SSL-cert?
We normally use a self-signed certificate. That does pop up a browser message
to that effect, which might scare off
Mark,
On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas ma...@apache.org wrote:
Ditch FORM auth, use DIGEST.
I'm afraid I don't see how to combine DIGEST with a Login-form - and
that's a customer request.
I know that SecurityFilter is quite a handy tool, however, that
doesn't support Tomcat's
13 matches
Mail list logo
