tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: [VOTE] Short Term Plan: Add Security Management Capabilities to Tomc
Date Sat, 16 Oct 1999 21:21:32 GMT
"Craig R. McClanahan" wrote:
> Sounds good to me, as long as it's universal across 1.1 and 1.2 platforms, can
> be exported, yadda yadda yadda.  You're right -- I'm only counting on a one-way
> encryption just like Unix password files (and just like Apache htpasswd
> files).  The security manager interface will have an authenticate method taking
> an HttpServletRequest as an argument (so that the interface has no dependencies
> on which type of authentication you are using).  When doing Basic
> authentication, you can just encrypt the password included in the header and
> compare to the encrypted stored version.

Note that basic auth is deprecated. We should promote the use of digest
auth.

BTW, linking identity irrevocably to HTTP auth of any flavour is bad,
IMO - there are many situations where the identity is established in a
completely different way, and these should be catered for.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi

Mime
View raw message