Re: interaction between .forward() and

Mon, 06 Sep 2010 08:05:05 -0700

Thanks to all who have responded. The advice and comments have been very helpful.
For my application, the MIM vulnerability is a concern, so I expect to be using HTTPS for at least some of the traffic. Next steps are to clarify my confidentiality requirements and see what I can find on the performance implications of using HTTPS, i.e. is it cheap enough that I don't have to worry about using it for all traffic. 

Brian




On 04/09/2010 17:27, André Warnier wrote:

Brian McBride wrote:
...


Ok - now to figure out how to implement digest authentication ...


Digest authentication is not very popular, and rather a pain to 
implement yourself.
The reason why it is not very popular is that it is a bit of a halfway 
solution : it does avoid user passwords to be transmitted in clear 
over the net, but it is not safe for man-in-the-middle attacks 
(someone can record the digest, and use it to authenticate later as 
that user).  And it still leaves the subsequent conversation unencrypted.



If you really need security, then you should run your entire site 
under HTTPS.
This will also allow you to do Basic authentication, or form-based 
authentication, since the authentication dialog is encrypted anyway by 
the HTTPS connection.



Maybe also your needs would be a valid reason to use an Apache httpd 
front-end for your site, taking care of the HTTPS side and/or the 
authentication.  httpd can then authenticate the user (using pretty 
much any method of your choice, there are standard modules available 
for all), and just pass the already-authenticated user-id to Tomcat.

Tomcat can then just do the access-control part.

(or if you prefer, you could even do that at the Apache httpd level 
also).



In this case the added overhead would be minimal, because what you do 
at the httpd level, you do not need to do at the Tomcat level and 
vice-versa.



It is all basically a matter of preference.  Not being myself a Tomcat 
or Java guru, I prefer to do these things at the Apache httpd level, 
and keep the Tomcat side simple.

Your mileage may vary.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to