Brian McBride wrote:
...
Ok - now to figure out how to implement digest authentication ...
Digest authentication is not very popular, and rather a pain to implement
yourself.
The reason why it is not very popular is that it is a bit of a halfway solution : it does
avoid user passwords to be transmitted in clear over the net, but it is not safe for
man-in-the-middle attacks (someone can record the digest, and use it to authenticate later
as that user). And it still leaves the subsequent conversation unencrypted.
If you really need security, then you should run your entire site under HTTPS.
This will also allow you to do Basic authentication, or form-based authentication, since
the authentication dialog is encrypted anyway by the HTTPS connection.
Maybe also your needs would be a valid reason to use an Apache httpd front-end for your
site, taking care of the HTTPS side and/or the authentication. httpd can then
authenticate the user (using pretty much any method of your choice, there are standard
modules available for all), and just pass the already-authenticated user-id to Tomcat.
Tomcat can then just do the access-control part.
(or if you prefer, you could even do that at the Apache httpd level also).
In this case the added overhead would be minimal, because what you do at the httpd level,
you do not need to do at the Tomcat level and vice-versa.
It is all basically a matter of preference. Not being myself a Tomcat or Java guru, I
prefer to do these things at the Apache httpd level, and keep the Tomcat side simple.
Your mileage may vary.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
