> Thanks. One follow up question. Since everything in dspace is supposed to be
> open and freely accessable, other then the login procedure, is there any
> need for the rest of the site to be secured?
As usual, "it depends..." mainly, on how much you are about truly
securing the authenticated access to the DSpace site. The answer is
"no, the servlets that don't transmit passwords can be left unsecured"
if you aren't concerned about real security against active attacks.
Some DSpace instances have content that is not all freely available,
but the web UI handles this gracefully by turning an authorization
failure into a redirect to the login page. So, unauthenticated visitors
can browse around with normal HTTP until they hit something protected.
However, the login procedure works by handing your browser a cookie.
The cookie is not marked secure so it gets transmitted on non-encrypted
connections, so it is subject to cookie hijacking (though recent changes
to the Authenticate class mititate this somewhat) -- basically, the risk
is that an attacker could steal your cookie and get your level of access
to DSpace, which is significant if you're an Administrator.
Most sites don't consider this enough of a risk to be worth running the
entire site through HTTPS, but I'm just mentioning it so you know the reasoning.
OBTW, the <security-constraint> method below is an elegant solution.
It depends on having the secure="true" attribute on the <Connection>
element in your tomcat server.xml, and the <Connection>'s set up to
automatically redirect to the HTTPS port, but that's simple to set up,
it's well documented in the Tomcat docs.
It would be great to add this to the wiki, since it doesn't seem to be
there anywhere I can find. If you need it, I've got a live example
that I could add.
-- Larry
> On 1/24/07, Guang Huang <[EMAIL PROTECTED]> wrote:
> >
> > In dspace application web configure file web.xml
> > add something like:
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Pages requiring
> > HTTPS</web-resource-name>
> > <url-pattern>...</url-pattern>
> > <url-pattern>...</url-pattern>
> > </web-resource-collection>
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > You could check dspace developers document or jsp/server specificatioin
> > in detail
> >
> > Good luck
> > John Preston wrote:
> > > Can anyone tell me if it is possible to use https for just the login
> > > steps and regualr unsecured http to access my dspace site. I need to
> > > secure the login username/password phase but once logged in I want to
> > > use the regular http so it is as fast as possible.
> > > ------------------------------------------------------------------------
> > >
> > >
> > -------------------------------------------------------------------------
> > > Take Surveys. Earn Cash. Influence the Future of IT
> > > Join SourceForge.net's Techsay panel and you'll get the chance to share
> > your
> > > opinions on IT & business topics through brief surveys - and earn cash
> > >
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > DSpace-tech mailing list
> > > DSpace-tech@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/dspace-tech
> > >
> >
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
