tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From QM <qm...@brandxdev.net>
Subject Re: Tomcat Security Constraints
Date Thu, 08 Apr 2004 16:49:07 GMT
On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote:
: Surely the authorization should be requested in all places and at all 
: times, whereever the request is coming from, even if from an include in an 
: unprotected page?

Clearly not, if it's going through. ;)

My understanding of the spec is that the security constraints are for
the originally-requested URI only.  

It's up to the developers to make sure content doesn't get <include>'d
or forward()'d to the wrong place.


: It has happened that I forget to type https:// and type http:// instead.
: So if a nasty, mean person is listening in, he can see my password 
: unencrypted, right?

Yes.


: How can I prevent this?

Use all SSL, all the time. -and I'm not being facetious there.  If the
data is that sensitive, why not?

Other than that, I believe there are auth restraints in web.xml that
require SSL auth.  I'd be more specific, but I'm deep into a C++ project
right today so my servlet spec knowledge is a little hazy.


btw, what's wrong with form auth?  I don't recall it requiring that much
extra programming.

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message