John,

You definitely don't want to rely on an IP address, which can be spoofed, proxied for use with many users (as in the case of AOL), and change between HTTP requests with some proxy servers.

What you're looking for is a web single sign-on solution. I'm in the process of writing a white paper on security requirements that should be considered for a web single sign on solution and will send you a link to the document when I post it.

Gary

John Klancer wrote:
Hello

Let me preface by saying my knowledge and experience with seurity is
primitive.

I am now working on a project wherein we have a set of ASP pages with a
custom authentication process. I have embedded a servlet into one of
these asp pages but want to avoid making the user authenticate twice
(once for the ASP pages, once again to access the servlet).

To that end, I have been doing a lot of online research, but haven't
found any pre-existing solutions (which surprises me). First question -
does anyone know of anything already out there? If I do have to create
my own solution, I was thinking of having IIS, on the user's
authentication, store the IP address of the authenticating user in a
file on the server (say %TOMCAT%\conf\auth-users.xml or something).
Then, when the user attempts to access the servlet, a custom Realm would
check to see if his/her ip is in auth-users.xml and grant/deny access
based on that.

My question is - is this feasible? Equally important, is it truly
secure?

Thanks for helping out a total security n00b.

- John


--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]


--


Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************


--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]



Reply via email to