tomcat-users mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Martin Gainty <mgai...@hotmail.com>
Subject	RE: interaction between .forward() and <security-constraint>
Date	Sun, 05 Sep 2010 00:15:51 GMT
far easier to implement than HTTPS what can MIM access with just the session-id? is this comparison DIGEST vs HTTPS documented Martin ______________________________________________=20 Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit= =E9 Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng= er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter= leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l= ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin= dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w= ir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes= pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat= isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e= ou la copie de ceci est interdite. Ce message sert =E0 l'information seule= ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d= onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation= =2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni= . =20 > Date: Sun=2C 5 Sep 2010 00:23:51 +0100 > From: markt@apache.org > To: users@tomcat.apache.org > Subject: Re: interaction between .forward() and <security-constraint> >=20 > On 04/09/2010 17:27=2C Andr=E9 Warnier wrote: > > Digest authentication is not very popular=2C and rather a pain to > > implement yourself. > > The reason why it is not very popular is that it is a bit of a halfway > > solution : it does avoid user passwords to be transmitted in clear over > > the net=2C but it is not safe for man-in-the-middle attacks (someone ca= n > > record the digest=2C and use it to authenticate later as that user). >=20 > No they can't. DIGEST is secure against such an attack. Any session ID=2C > however=2C will be vulnerable. >=20 > > And > > it still leaves the subsequent conversation unencrypted. >=20 > True. >=20 > > If you really need security=2C then you should run your entire site und= er > > HTTPS. >=20 > It depends on what you are trying to protect. Generally=2C this is true > but there will be edge cases where DIGEST is sufficient. >=20 > Mark >=20 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org > For additional commands=2C e-mail: users-help@tomcat.apache.org >=20 =
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, None, 2546 bytes)
	View raw message