tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: interaction between .forward() and <security-constraint>
Date Sun, 05 Sep 2010 13:41:09 GMT
Mark Thomas wrote:
> On 04/09/2010 17:27, André Warnier wrote:
>> Digest authentication is not very popular, and rather a pain to
>> implement yourself.
>> The reason why it is not very popular is that it is a bit of a halfway
>> solution : it does avoid user passwords to be transmitted in clear over
>> the net, but it is not safe for man-in-the-middle attacks (someone can
>> record the digest, and use it to authenticate later as that user).
> 
> No they can't. DIGEST is secure against such an attack. Any session ID,
> however, will be vulnerable.
> 
You are right, the part between () was not correct.  But the MIM vulnerability still 
exists.  A MIM can tell the client to use Basic auth, catch the client responses, do 
Digest auth with the server, and this way get the user id/pw.  And neither client or 
server would be the wiser.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message