David,
D M wrote:
1. Local files as authentication tokens
OK. I see this as just being a password that is so long that it has to
be written down (eg on the USB key) and physically carried around by the
user. There is an interesting debate here as to whether this is more or
less secure than a 'good' pass-phrase that the user can just carry
around in their head. My instinct is that it is about the same but the
additional complexity required to implement it makes me lean towards
less secure since greater complexity = greater chance to mess things up.
Note: since the 'password' will travel over the wire, this is
fundamentally different (and less secure) than a PKI style private key
on a token which will never be transmitted to the server.
2. Plug-in authentication.
Tomcat (and most other web containers) support BASIC, FORM, DIGEST and
CLIENT-CERT. Can you give examples (in addition to the 1. above) of
authentication types you'd like to see supported?
3. Authentication token manipulation
Hashing is the most popular and archives the desired aims of protecting
passwords. Can you give examples of other manipulations and the security
benefits of performing them?
4. Portability
Have a look at http://jcifs.samba.org/. This provides NTLM
authentication as a servlet filter. It might give you some ideas about
how to make your authentication components more web container neutral.
Also there is a Jakarta project starting up (name TBD) that will provide
web components such as filters, listeners, etc. If your authentication
code can be made container neutral I think this would be a more natural
home for it. Have a look at
http://marc.theaimsgroup.com/?l=jakarta-general&m=111972374202676&w=2,
http://wiki.apache.org/jakarta/DraftCharterForWebComponentCommons,
http://marc.theaimsgroup.com/?t=111947286700005&r=1&w=2 and the related
threads.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
