tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Hall <>
Subject Re: Does using Kerberos with Tomcat reduce my security?
Date Fri, 25 Aug 2006 21:46:08 GMT
--- "P. Douglas Reeder" <> wrote:

> After some effort, I've managed to set up a
> JAASRealm that draws its
> account information from our Kerberos server
> (Krb5LoginModule,
> connecting to Open Directory on OS X Server 10.3.9).
> One of the key security properties of Kerberos is
> that passwords are
> never sent over the network, even in encrypted form.
>  However, since
> users interact with Tomcat using HTTP, I think
> passwords are sent in
> the clear, if using Basic authentication and
> encrypted if using Digest
> authentication.  In either case, it would appear
> that I'm not
> preserving the level of security I had with the
> Kerberos setup before.
> So, would it make more sense to use account
> information from our Linux
> machine (JAASRealm with UnixLoginModule), since that
> is sent over the
> network in encrypted form when users login via ssh? 
>  Is Digest
> authentication about as secure as SSH?
> If not, what's the easiest kind of Realm to set up
> which stores
> passwords in an encrypted form, for a half dozen
> users?
> (UserDatabaseRealm is right out.)


Can your app use HTTPS instead of HTTP?

If yes, then you can (which you may already know)
add a <transport-guarantee /> element to your app's



      <description>Student access</description>
      <description>These are the coarse-grained roles
        enable a subject to pass the JAAS login stack.
      <description>This app will use https in the
/student subtree</description>

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message