axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ron Reynolds" <>
Subject Re: Authenticating users
Date Tue, 22 Nov 2005 00:14:50 GMT
passwords should (almost) always be stored in a non-reversable hash (MD5,
SHA-1, etc) - you'll certainly need to know the algorithm if you're going to
duplicate the plain-text->hash-value to compare, but it sounds like you won't
have the plaintext password (which is good from a security point of view) so
you'll want to consider a "single-sign-on" approach.  i'm not 100% savy on
LDAP beyond the basic JNDI-centric view (it's a tree of HashMaps of name-value
pairs with paths) but i'm certain there are single-sign-on approaches that
fully leverage LDAP that you'll want to at least consider.

for my authentication i actually use digitally signed messages - the client
application specifies the user and includes the uid and a canned password as a
digest in the request, but then the whole SOAP Body + UsernameToken is signed
using the client's private key which i verify on the server.  i left those
bits out of the server-config.wsdd to keep the email sizes down.


> Ok...i guess i misunderstood your text. So i might be able to avoid
> needing the plaintext pw in the service. How can i nevertheless use
> encrypted passwords? What kind of passwords are you using? The problem
> is that i dont know how the pw in ldap was encrypted.
> Thx for your help!
> Michael

View raw message