tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: I have some new FormAuthenticator code for Tomcat.
Date Mon, 27 Jun 2005 21:50:46 GMT

D M wrote:
>>1. Local files as authentication tokens

OK. I see this as just being a password that is so long that it has to 
be written down (eg on the USB key) and physically carried around by the 
user. There is an interesting debate here as to whether this is more or 
less secure than a 'good' pass-phrase that the user can just carry 
around in their head. My instinct is that it is about the same but the 
additional complexity required to implement it makes me lean towards 
less secure since greater complexity = greater chance to mess things up.

Note: since the 'password' will travel over the wire, this is 
fundamentally different (and less secure) than a PKI style private key 
on a token which will never be transmitted to the server.

>>2. Plug-in authentication.
Tomcat (and most other web containers) support BASIC, FORM, DIGEST and 
CLIENT-CERT. Can you give examples (in addition to the 1. above) of 
authentication types you'd like to see supported?

>>3. Authentication token manipulation

Hashing is the most popular and archives the desired aims of protecting 
passwords. Can you give examples of other manipulations and the security 
benefits of performing them?

>>4. Portability

Have a look at This provides NTLM 
authentication as a servlet filter. It might give you some ideas about 
how to make your authentication components more web container neutral. 
Also there is a Jakarta project starting up (name TBD) that will provide 
web components such as filters, listeners, etc. If your authentication 
code can be made container neutral I think this would be a more natural 
home for it. Have a look at,, and the related 


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message