tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Menzel <peter.men...@imise.uni-leipzig.de>
Subject Re: Tomcat Authentication
Date Wed, 09 Nov 2005 10:37:23 GMT
Hi,

Khawaja Shams schrieb:
> Hello everyone,
> I have a few strict requirements for security on my project, and I am having
> a hard time understanding some concepts. I cannot use SSL due to the
> performance loss, and the application must be accessed only by authenticated
> users. Meanwhile, I am required to never send the password in cleartext. I
> have successfully implemented a DIGEST authentication with the helpful
> response from Mark Thomas, but I am curious about how authentication for
> further requests takes place. I notice that the user is prompted for the
> password only the first time, and subsequent requests are automatically
> authenticated. Is the authentication information stored in a session
> somewhere? 

The browser caches your username and (digested) credentials and sends 
them with each request in a HTTP request header. If you close your 
browser, the information are cleared, unless you tell your browser to 
memorize them.

Is this easy to obtain through sniffing? Could a sniffer
> potentially fake an authenticated client's session id to get access to an
> application?

Yes, A sniffer only needs to capture only one request with your 
username/credentials and may subsequently misuse them for accessing the 
webapp.

DIGEST is nearly as weak as BASIC/FORM, the only difference is, that the 
password is going through a hash function, which creates a digest of 
your password, from which the original password can not be restored.

For optimal security SSL is a good option.

Peter


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message