tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: interaction between .forward() and <security-constraint>
Date Sat, 04 Sep 2010 23:23:51 GMT
On 04/09/2010 17:27, André Warnier wrote:
> Digest authentication is not very popular, and rather a pain to
> implement yourself.
> The reason why it is not very popular is that it is a bit of a halfway
> solution : it does avoid user passwords to be transmitted in clear over
> the net, but it is not safe for man-in-the-middle attacks (someone can
> record the digest, and use it to authenticate later as that user).

No they can't. DIGEST is secure against such an attack. Any session ID,
however, will be vulnerable.

> And
> it still leaves the subsequent conversation unencrypted.


> If you really need security, then you should run your entire site under

It depends on what you are trying to protect. Generally, this is true
but there will be edge cases where DIGEST is sufficient.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message