You definitely don't want to rely on an IP address, which can be spoofed, proxied for use with many users (as in the case of AOL), and change between HTTP requests with some proxy servers.
What you're looking for is a web single sign-on solution. I'm in the process of writing a white paper on security requirements that should be considered for a web single sign on solution and will send you a link to the document when I post it.
Gary
John Klancer wrote:
Hello
Let me preface by saying my knowledge and experience with seurity is primitive.
I am now working on a project wherein we have a set of ASP pages with a custom authentication process. I have embedded a servlet into one of these asp pages but want to avoid making the user authenticate twice (once for the ASP pages, once again to access the servlet).
To that end, I have been doing a lot of online research, but haven't found any pre-existing solutions (which surprises me). First question - does anyone know of anything already out there? If I do have to create my own solution, I was thinking of having IIS, on the user's authentication, store the IP address of the authenticating user in a file on the server (say %TOMCAT%\conf\auth-users.xml or something). Then, when the user attempts to access the servlet, a custom Realm would check to see if his/her ip is in auth-users.xml and grant/deny access based on that.
My question is - is this feasible? Equally important, is it truly secure?
Thanks for helping out a total security n00b.
- John
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--
Gary Gwin http://www.cafesoft.com
***************************************************************** * * * The Cafesoft Access Management System, Cams, is security * * software that provides single sign-on authentication and * * centralized access control for Apache, Tomcat, and custom * * resources. * * * *****************************************************************
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]