Hi, My client is going to adopt RSA ACE security infrastructure which to my understanding will require users to append a hardware generated number to their passwords when they authenticate. So we will have system where password changes every 15 seconds and it can not be cached in tomcat and used for subsequent accesses to LDAP (unless your software is RSA ACE aware and can deal with it somehow) (- I am not really familiar with RSA ACE security so I might be missing something here -) If I understand correctly, tomcat 3.x has following security architecture: 1. Extract user/password from user Session for Form based authentication (from headers for Basic authentication) 2. For *every request* perform authentication and authorization This might be a problem if password on backend changes constantly. Cached password will expire in lets say 15 second and that will break tomcat's security One solution to the problem would be to cache all authentication/authorization info in user session (you already caching username and password for form based authentication there) and use it as a poof of successful authentication for all subsequent request. Do you see any problems with this approach? The RSA ACE security infrastructure permits you to logon using your known password plus a generated number (as you almost correctly stated). This one can be generated using ALSO a soft generator (instead a hardware one). I know that such ones exist for Windows, PalmOS, Nokia 9210, Ericsson R380s,etc. (and are provided by RSA), but I don't know if they have a Java based one (for more info take a look at http://www.rsasecurity.com/products/securid/index.html) <http://www.rsasecurity.com/products/securid/index.html)> With this in mind you only need to cache the password and take the generated number each time you need to pass the credentials to LDAP. Hope this helps. -- Víctor A. Rodríguez ( http://www.bit-man.com.ar <http://www.bit-man.com.ar/> ) Telefónica de Argentina - http://www.Telefonica.com.ar <http://www.Telefonica.com.ar> Tel. (54-11) 4333-7305 - Fax: (54-11) 4303-5586 int. 1680
RE: Tomcat Security Architecture and RSA ACE authentication
Rodriguez Victor Alberto (DSI) Thu, 29 Mar 2001 06:05:23 -0800
- Tomcat Security Architecture and RSA ACE au... Roytman, Alex
- Re: Tomcat Security Architecture and R... Craig R. McClanahan
- RE: Tomcat Security Architecture and R... Roytman, Alex
- Rodriguez Victor Alberto (DSI)
