-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregor,
On 3/10/2009 5:44 PM, Gregor Schneider wrote: > Mark, > > On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas <ma...@apache.org> wrote: >> >> Ditch FORM auth, use DIGEST. >> > I'm afraid I don't see how to combine DIGEST with a Login-form - and > that's a customer request. Then you're out of luck. The only workarounds I've ever heard are to use some javascript tricks to hash or encrypt the username and/or password before it's sent to the server. Of course, this technique actually /reduces/ the security to zero because either replay attacks are trivial or the encryption keys are found in the javascript code. Duh. > I know that SecurityFilter is quite a handy tool, however, that > doesn't support Tomcat's SSO-functionality yet (?). Correct. It also doesn't support FORM auth with anything but plaintext j_password parameters. > I guess I can live with an unencrypted SessionID since our sites are > not that important as to expect any session-hijacking (btw., does > Tomcat check if the SessionID maps to a certain IP?). No. But securityfilter's cvs head contains a filter that does just that. You can use it completely independently of securityfilter if you want to "borrow" it from the project. ;) > What is important is performance - therefore I tend to not use SSL > except for the LoginForm. > > Looks like we have to get a few certs then. I would give your customer the choice: no cert (less money) but you have to use DIGEST auth ; versus use form auth and buy an SSL cert. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6bKEACgkQ9CaO5/Lv0PCSigCgu5sIRcpHaR97j2sDDJzHcVz5 4xEAoJE6nrwCHFKEYfCNmeAjnfBJzIer =D8C3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
