tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Raible, Matt" <Matt_Rai...@cable.comcast.com>
Subject RE: forwarding to j_security_check?
Date Tue, 15 Apr 2003 22:23:54 GMT
IE6 on Win2K.  I've tested my strategy and the URL (with the password) is
never exposed in the browser in IE/Mozilla, but it does briefly flash in
Apple's Safari browser.  IMO, this is really the same thing as using
form-based security, except it's a post and you can't see the password on
the URL, but if you use a network sniffer, you can see it just as easily
with a post as with a get.  What I use is https:// on the login and then I
know my user's are protected.

Matt

> -----Original Message-----
> From: Mark R. Diggory [mailto:mdiggory@latte.harvard.edu]
> Sent: Tuesday, April 15, 2003 3:41 PM
> To: Tomcat Users List
> Subject: Re: forwarding to j_security_check?
> 
> 
> Erik Price wrote:
> 
> >
> >
> > Mark R. Diggory wrote:
> >
> >> I guess what I'm suggesting is that your sending a 
> redirect response 
> >> to the browser with the users password parameterized in it, I also 
> >> suspect it would be exposed on the address bar if you stop the 
> >> redirect from occuring, this is exposing the users 
> password over the 
> >> network (possibly after working very hard to secure it with digest 
> >> and ssl) and is not a very secure thing to do. This is why I was 
> >> looking for a forwarding strategy that would stay within 
> the server 
> >> itself.
> >
> >
> > If you are using ssl, wouldn't this response be encrypted as well?
> >
> >
> > Erik 
> 
> 
> True but would the redirects request url be encrypted inside the 
> browser? The residual passwd info in the URL could possibly 
> be available 
> after the user left the workstation (given the security and 
> capabilities 
> of the browser). Basically, I think the redirect is a http 
> get request 
> by nature and by doing it your placing security in the hands of the 
> browser to conceal the redirect information, it brings into play the 
> "possibly" loosing control of the password information.
> 
> I'll experiment with it a little and see if I can find the 
> passwd info 
> in the browser. Matt which browser were you using?
> 
> -thanks,
> Mark
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message