if your goal is encryption.. i found this explanation from Stanford helpful in understanding kerberos/ssh/ssl
http://pangea.stanford.edu/computerinfo/resources/network/security/safeguards/kerberos.html HTH Martin ______________________________________________ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Mon, 11 May 2009 18:37:22 -0400 > From: ch...@christopherschultz.net > To: users@tomcat.apache.org > Subject: Re: Form-based Container Security with SSL > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Guojun, > > On 5/11/2009 5:49 PM, Guojun Zhu wrote: > > Dear Chris, > > > > Thank you very much. What we really want is that the login > > username/password communicates encrypted. Everything else can be in > > clear-text. (We also need the log-out, so I cannot use the digest > > authentification.) > > > > > >> Showing a non-secure login page isn't a problem, is it? You just need to > >> make sure that the login form's action is HTTPS and you will get a > >> secure login. > > > > But if this login page is reached by http, will the login > > username/password be sent out in clear-texted? > > The scheme used to access the login page is not relevant to the safety > of your credentials. Only the scheme used to /submit/ those credentials > from your login form is relevant. > > > Or should I specified the action "j_security_check" as https? > > Definitely. > > > Then after the authentication, > > change back to http. > > Correct. > > > (By changing the secured cookie into unsecured? > > Where? In every pages as tomcat has redirect the link away from > > login?) > > No, all my suggestions have been to create a non-secure session id > cookie /before/ authentication occurs. Then you don't have to worry > about it, later. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkoIqKIACgkQ9CaO5/Lv0PAifgCdGOhDbM2bEmMyoZUGCKrwSQx5 > Sg0AoJCaYuusBHIS98n8vKRUtalnjQkD > =OlR2 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Windows Live™: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009
