The points you raise are, of course real and important.
I would probably decide the same as you for a high profile, publicly available
application.
I however most often have to develop complex apps only used by, at most, 100s
of corporate users.
I know perimetric security is less and less fashi
On 8/31/2015 8:54 AM, Christopher Schultz wrote:
You also tell them how long they have to wait before they can resume
their brute-force attack without wasting their own time.
Must better to let a brute force attacker pound away at a locked
account wasting their resources and probably tripping
Ok I found FormAuthenticator and landingPage attribute in it in the source.
But how do I use that in my application ? What do I do ?
Any documentation for this ?
On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty <
sreyan.mail...@gmail.com> wrote:
> Well Christopher thanks for that eye opener.
Well Christopher thanks for that eye opener. I didn't know that the specs
were so inconsistent.
Okay now regarding your comment-:
"Servlet 3.0 added the HttpServletRequest.login() method would improved
the situation greatly: you can implement your own login handler that
plugs-into the authenticat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/31/15 2:01 PM, Mark Thomas wrote:
> On 31/08/2015 18:49, Christopher Schultz wrote:
>
>> Really the only thing the servlet spec is missing is a setting
>> in like or something like
>> that, so that if you try to login with j_security_c
On 31/08/2015 18:49, Christopher Schultz wrote:
> Really the only thing the servlet spec is missing is a setting in
> like or something like that, so
> that if you try to login with j_security_check and you hadn't already
> requested a protected resource, the container knows where to send the
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sreyan,
On 8/31/15 1:42 PM, Sreyan Chakravarty wrote:
> Yup the API is very easy to but that keeps a compile time
> dependency. What I mean is that you also need to put the sCrypt jar
> into you /lib folder. If thats okay then things get really easy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sreyan,
On 8/31/15 1:39 PM, Sreyan Chakravarty wrote:
> First of all I did read the Servlet Spec, it provided no hint as to
> what I was doing wrong.
>
> So you are saying that I can't have a login form on the page when
> the welcome page ? Why not
Yup the API is very easy to but that keeps a compile time dependency. What
I mean is that you also need to put the sCrypt jar into you /lib folder. If
thats okay then things get really easy.
Regards
Sreyan Chakravarty
On Mon, Aug 31, 2015 at 10:52 PM, Christopher Schultz <
ch...@christopherschult
First of all I did read the Servlet Spec, it provided no hint as to what I
was doing wrong.
So you are saying that I can't have a login form on the page when the
welcome page ? Why not ? Tons of site have just that, like Twitter and
Facebook. It seems weird why I can't have it on my welcome page.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sreyan,
On 8/31/15 12:34 PM, Sreyan Chakravarty wrote:
> Wait I am sure I am going wrong in a fundamental area.
>
> My security constraint is as follow-:
>
>
> TECHERS
> /teacher/success.jsp
> GET POST
>
>
> TEACHER
>
>
> FORM
> /i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sreyen,
On 8/31/15 12:23 PM, Sreyan Chakravarty wrote:
> Christopher what I am planning to do is getting the source of an
> open source sCrypt library and actually copy pasting the source
> code into the ScryptCredentialHandler.java. Since I am no s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Diarmuid,
On 8/31/15 11:36 AM, dmccrthy wrote:
> To cut a long story short openssl helped. Using openssl -connect
> showed the error below. When I added the -tls1 flag the error went
> away.
>
> 2104:error:1408F119:SSL routines:SSL3_GET_RECORD:decr
> From: Sreyan Chakravarty [mailto:sreyan.mail...@gmail.com]
> Subject: Re: HTTP 400 with Form based authentication
> My security constraint is as follow-:
>
> FORM
>
> /index.jsp
> /index.jsp?error=true
>
>
> This is my understanding o
Wait I am sure I am going wrong in a fundamental area.
My security constraint is as follow-:
TECHERS
/teacher/success.jsp
GET
POST
TEACHER
FORM
/index.jsp
Christopher what I am planning to do is getting the source of an open
source sCrypt library and actually copy pasting the source code into the
ScryptCredentialHandler.java. Since I am no security expert.
Now this eliminates the compile time dependency but if the open source
scrypt library is updat
Hi Chris,
To cut a long story short openssl helped. Using openssl -connect showed the
error below. When I added the -tls1 flag the error went away.
2104:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
record mac:.\ssl\s3_pkt.c:532:
Configuring Tomcat with the JVM parameter b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 8/31/15 6:42 AM, Mark Thomas wrote:
> On 31/08/2015 07:32, Ludovic Pénet wrote:
>> I can't see what would be the risks with being able to explain
>> "This account is locked for X minutes"...
>
> An attacker performing a brute force attack
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chuck,
On 8/30/15 8:52 PM, Caldarale, Charles R wrote:
>> From: Jerry Malcolm [mailto:techst...@malcolms.com] Subject:
>> Webapp killing entire Tomcat process
>
>> But in my opinion, no matter what happens in the code, TC
>> shouldn't completely di
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sreyan,
On 8/29/15 4:54 PM, Sreyan Chakravarty wrote:
> Now can you tell me how do I write my own custom credential
> handler. Planning one that uses sCrypt.
Just create a new class that implements the CredentialHandler
interface. Of course, that m
On 31/08/2015 07:32, Ludovic Pénet wrote:
> I can't see what would be the risks with being able to explain "This account
> is locked for X minutes"...
An attacker performing a brute force attack has zero knowledge. They
have to guess both user names and passwords. Telling an attacker an
account i
On 31/08/2015 07:01, Sreyan Chakravarty wrote:
> Can you provide a link to the Servlet Spec the to which section you are
> referring to.
You need to be doing a little more research yourself between asking
questions rather than expecting the folks here to spoon feed you the
answers.
If you want to
On 31/08/2015 07:00, Sreyan Chakravarty wrote:
> I don't understand where did I request the login page directly ? I just put
> as index.jsp and and the error page as
> index.jsp?error=true.
>
> So where is my error ?
Did you request '/teacher/success.jsp' ? No, you did not.
Did you request '/in
23 matches
Mail list logo
