hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 28659] - Allow Basic authentication to pre-encode the username/password
Date Thu, 29 Apr 2004 07:16:45 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28659>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28659

Allow Basic authentication to pre-encode the username/password





------- Additional Comments From ortwin.glueck@nose.ch  2004-04-29 07:16 -------
Joshua,

It is certainly good that you care about security. As you have already
mentioned, your solution does only provide security by obscurity. I suggest a
slightly more secure approach:

1. Store the credentials in an encrypted file (use the crypto API)
2. Store the private key inside your application so it's more difficult for an
attacker.
3. Decrypt the file on demand and provide the credentials for HttpClient

This is actually quite simple and does not require any change to HttpClient.

Ortwin Gl├╝ck

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message