tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: interaction between .forward() and <security-constraint>
Date Tue, 14 Sep 2010 14:09:50 GMT
Hash: SHA1


> I'm fumbling about seeking the hardness knob that controls my
> thinking ... I know its there somewhere ... :)

Me, too. You can never be too paranoid about authentication code.

> I'm learning from the discussion on this list that DIGEST is not very popular.  However,
it is a published algorithm and therefore has a bit more credibility than one I cooked up.

It's not very popular for two reasons:

1. Use of MD5
2. Spotty browser support (due to spotty server support)

Basically, it was a good idea that wasn't well-implemented, so nobody
ever really bothered to fully support it. Most OSS code works just fine
- -- because someone like you was sufficiently motivated to make it work
and, well, support the standard. The standard sucks, though :(

Note that DIGEST AUTH does use nonce values during communication, even
if you can't really use them as permanent salt values.

> One thing I'm slightly nervous of is reuse of the SSL session id. 
> The SSL spec says the server gets to choose the ID for an SSL session
> so I need to know that the server doesn't reuse them in a way that
> might compromise this approach. OpenSSH states that it uses a random
> number as wide as the protocol allows. Haven't found a statement
> about what JSSE does and haven't had an answer yet to my question to
> the forum. I expect its fine - it would just be nice to have it in
> writing.

You could use the APR connector (and you probably should, if Tomcat will
be terminating the SSL connection, because it generally performs better
than the pure Java I/O connectors) and then you'll be using OpenSSL
under the hood: problem solved. :)

Hope that helps,
- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message