tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: interaction between .forward() and <security-constraint>
Date Sat, 04 Sep 2010 23:23:51 GMT
On 04/09/2010 17:27, André Warnier wrote:
> Digest authentication is not very popular, and rather a pain to
> implement yourself.
> The reason why it is not very popular is that it is a bit of a halfway
> solution : it does avoid user passwords to be transmitted in clear over
> the net, but it is not safe for man-in-the-middle attacks (someone can
> record the digest, and use it to authenticate later as that user).

No they can't. DIGEST is secure against such an attack. Any session ID,
however, will be vulnerable.

> And
> it still leaves the subsequent conversation unencrypted.

True.

> If you really need security, then you should run your entire site under
> HTTPS.

It depends on what you are trying to protect. Generally, this is true
but there will be edge cases where DIGEST is sufficient.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message