After some effort, I've managed to set up a JAASRealm that draws its account information from our Kerberos server (Krb5LoginModule, connecting to Open Directory on OS X Server 10.3.9).
One of the key security properties of Kerberos is that passwords are never sent over the network, even in encrypted form. However, since users interact with Tomcat using HTTP, I think passwords are sent in the clear, if using Basic authentication and encrypted if using Digest authentication. In either case, it would appear that I'm not preserving the level of security I had with the Kerberos setup before. So, would it make more sense to use account information from our Linux machine (JAASRealm with UnixLoginModule), since that is sent over the network in encrypted form when users login via ssh? Is Digest authentication about as secure as SSH? If not, what's the easiest kind of Realm to set up which stores passwords in an encrypted form, for a half dozen users? (UserDatabaseRealm is right out.) Doug Reeder Cognitive & Systematic Musicology Lab OSU School of Music --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
