tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark R. Diggory" <mdigg...@latte.harvard.edu>
Subject Re: forwarding to j_security_check?
Date Tue, 15 Apr 2003 21:41:05 GMT
Erik Price wrote:

>
>
> Mark R. Diggory wrote:
>
>> I guess what I'm suggesting is that your sending a redirect response 
>> to the browser with the users password parameterized in it, I also 
>> suspect it would be exposed on the address bar if you stop the 
>> redirect from occuring, this is exposing the users password over the 
>> network (possibly after working very hard to secure it with digest 
>> and ssl) and is not a very secure thing to do. This is why I was 
>> looking for a forwarding strategy that would stay within the server 
>> itself.
>
>
> If you are using ssl, wouldn't this response be encrypted as well?
>
>
> Erik 


True but would the redirects request url be encrypted inside the 
browser? The residual passwd info in the URL could possibly be available 
after the user left the workstation (given the security and capabilities 
of the browser). Basically, I think the redirect is a http get request 
by nature and by doing it your placing security in the hands of the 
browser to conceal the redirect information, it brings into play the 
"possibly" loosing control of the password information.

I'll experiment with it a little and see if I can find the passwd info 
in the browser. Matt which browser were you using?

-thanks,
Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message