tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: interaction between .forward() and <security-constraint>
Date Sat, 04 Sep 2010 16:27:15 GMT
Brian McBride wrote:
> Ok - now to figure out how to implement digest authentication ...
Digest authentication is not very popular, and rather a pain to implement yourself.
The reason why it is not very popular is that it is a bit of a halfway solution : it does

avoid user passwords to be transmitted in clear over the net, but it is not safe for 
man-in-the-middle attacks (someone can record the digest, and use it to authenticate later

as that user).  And it still leaves the subsequent conversation unencrypted.

If you really need security, then you should run your entire site under HTTPS.
This will also allow you to do Basic authentication, or form-based authentication, since 
the authentication dialog is encrypted anyway by the HTTPS connection.

Maybe also your needs would be a valid reason to use an Apache httpd front-end for your 
site, taking care of the HTTPS side and/or the authentication.  httpd can then 
authenticate the user (using pretty much any method of your choice, there are standard 
modules available for all), and just pass the already-authenticated user-id to Tomcat.
Tomcat can then just do the access-control part.
(or if you prefer, you could even do that at the Apache httpd level also).

In this case the added overhead would be minimal, because what you do at the httpd level,

you do not need to do at the Tomcat level and vice-versa.

It is all basically a matter of preference.  Not being myself a Tomcat or Java guru, I 
prefer to do these things at the Apache httpd level, and keep the Tomcat side simple.
Your mileage may vary.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message