Mark,
Thanks for the reply. Sorry it took me a bit to get back to you on this.
Comments inline.
>>OK. I see this as just being a password that is so long that it has
>>to be written down (eg on the USB key) and physically carried around
>>by the user. There is an interesting debate here as to
Mark Thomas wrote:
Remy Maucherat wrote:
I'll be the first to admit, however, that FORM (and the other auth
methods from the spec) are insufficient and not flexible enough, and I
am not completely against adding additional custom auth-methods.
Can you give some use cases where the spec falls
David,
D M wrote:
1. Local files as authentication tokens
OK. I see this as just being a password that is so long that it has to
be written down (eg on the USB key) and physically carried around by the
user. There is an interesting debate here as to whether this is more or
less secure than
Remy Maucherat wrote:
I'll be the first to admit, however, that
FORM (and the other auth methods from the spec) are insufficient and not
flexible enough, and I am not completely against adding additional
custom auth-methods.
Can you give some use cases where the spec falls short?
Mark
---
Hi Mark,
Thanks for your comments. My responses inline.
>1. Your reference to sending an encrypted user certificate file to the
>server demonstrates a lack of understanding of PKI that undermines my
>confidence that you know what you are doing when it comes to security.
I think I wasn't being
Mark Thomas wrote:
I am -1 for this for the following reasons (in order of importance):
1. Your reference to sending an encrypted user certificate file to the
server demonstrates a lack of understanding of PKI that undermines my
confidence that you know what you are doing when it comes to secu
I am -1 for this for the following reasons (in order of importance):
1. Your reference to sending an encrypted user certificate file to the
server demonstrates a lack of understanding of PKI that undermines my
confidence that you know what you are doing when it comes to security.
2. JAAS provi
Hi,
I've been working on some code for Form authentication in Tomcat that I think
you all might be interested in. In addition to implementing the current
J2EE/Servlet spec for authentication (i.e. j_security_check with two keys:
j_username, j_password authenticated with the Realm), it also off
