tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: interaction between .forward() and <security-constraint>
Date Tue, 14 Sep 2010 14:09:50 GMT 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian,

> I'm fumbling about seeking the hardness knob that controls my
> thinking ... I know its there somewhere ... :)

Me, too. You can never be too paranoid about authentication code.

> I'm learning from the discussion on this list that DIGEST is not very popular.  However,
it is a published algorithm and therefore has a bit more credibility than one I cooked up.

It's not very popular for two reasons:

1. Use of MD5
2. Spotty browser support (due to spotty server support)

Basically, it was a good idea that wasn't well-implemented, so nobody
ever really bothered to fully support it. Most OSS code works just fine
- -- because someone like you was sufficiently motivated to make it work
and, well, support the standard. The standard sucks, though :(

Note that DIGEST AUTH does use nonce values during communication, even
if you can't really use them as permanent salt values.

> One thing I'm slightly nervous of is reuse of the SSL session id. 
> The SSL spec says the server gets to choose the ID for an SSL session
> so I need to know that the server doesn't reuse them in a way that
> might compromise this approach. OpenSSH states that it uses a random
> number as wide as the protocol allows. Haven't found a statement
> about what JSSE does and haven't had an answer yet to my question to
> the forum. I expect its fine - it would just be nice to have it in
> writing.

You could use the APR connector (and you probably should, if Tomcat will
be terminating the SSL connection, because it generally performs better
than the pure Java I/O connectors) and then you'll be using OpenSSL
under the hood: problem solved. :)

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyPgi4ACgkQ9CaO5/Lv0PAyEACgu+Yvmcdros13eKsr/9Ugu22B
tQ4AoL1ZXr34rTCbaW8ah8Wbs5uilcrh
=NBR/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Mime
View raw message