Richard Cannings wrote:
> ...How can I have a servlet authenticate that the applet sending the
> information to the servlet is truly mine?
Hi,
I think that no matter how you slice it, the answer is that it can't be done,
and it boils down to two reasons:
1. Your servlet must accept network connections from the Internet, and so must
authenticate / verify every one of them - programs like "Satan" look for
daemons listening at TCP/IP ports, for example.
2. Any information you send to someone else's computer can be examined,
debugged, played with, copied, etc. If a person has full control of their
client machine, they can do whatever they want with the info you send.
This implies that you can't send any "secrets" to the client. BUT, in order
to authenticate a client, that's done by checking to see if a client knows a
secret that you do. Hard to do if you can't send a secret in the first place.
(For example, when you log in somewhere, you enter a password. The server
wants to see if you are in posession of the same secret that it is.)
There might be something you could do with digitally signed pieces of code,
and/or encrypted connections to the client, but offhand, I don't see how it'd
work.
- Robb
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
