tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Khawaja Shams <>
Subject Tomcat Authentication
Date Wed, 09 Nov 2005 05:06:13 GMT
Hello everyone,
I have a few strict requirements for security on my project, and I am having
a hard time understanding some concepts. I cannot use SSL due to the
performance loss, and the application must be accessed only by authenticated
users. Meanwhile, I am required to never send the password in cleartext. I
have successfully implemented a DIGEST authentication with the helpful
response from Mark Thomas, but I am curious about how authentication for
further requests takes place. I notice that the user is prompted for the
password only the first time, and subsequent requests are automatically
authenticated. Is the authentication information stored in a session
somewhere? Is this easy to obtain through sniffing? Could a sniffer
potentially fake an authenticated client's session id to get access to an
application? I would appreciate any input or any links/books where I can
read up on how this works. I sincerely appreciate your time and help.

Best Regards,
Khawaja Shams

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message