tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Security Realms and form-login-page
Date Mon, 21 Jan 2008 23:58:06 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Albrecht,

Albretch Mueller wrote:
|> Let me get this straight: you want to create a webapp that does nothing
|> other than authenticate connections for another webapp?
|>
|> Why would you want to do something like this?
| ~
|  Well, what else would you do if:
| ~
|  * you maintain a number of name-based virtual hosts (of your own and
| for development)
| ~
|  * you want to/can only pay for an SSL certificate
| ~
|  * you only need the secure connections while transferring sensitive
| data, such as sign up, personal profile/options (re)set, login and
| payments

Fair enough. Note that for development, you can use self-signed SSL
certs which are free.

Anyhow, if you want one webapp to authenticate others, then you need to
give out some kind of token after login that can sent be to the primary
application for background communication with the auth server. Something
like this:

User                      AUTH app         PRIMARY app
User  ---- HTTP ------------------------------>
~  |                                           |
~  |  <--- redirect ---------------------------+
~  |
~  |  ----------------------->
~  |                         |
~  |  <---- login page ------+
~  |
~  |  ---- login submit ----->
~  |                         | (generate token)
~  |  <---- redirect --------+
~  |
~  | ----- (request includes login token) ----->
~  |                                           | verify token with auth
~  |                          <----------------+
~  |             checks token |
~  |                          +-- token ok/bad >
~  |                                           | create session
~  |                                           |

You will have to be careful to ensure that random tokens cannot be
forged by malicious users. I recommend information hashing, token
timeouts, client IP verification (if acceptable), and application
identification.

Good luck!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeVMY4ACgkQ9CaO5/Lv0PDP+wCghhWopqwLWoQ+qKiaHZ0epEfL
rzYAoKrsEBTYx9zRnBhWIsGnczCzi8xt
=V2xz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message