Dear all, I would like to share my worry although using SSL: the server (such as Servlet) will receive the plain password. So the user's password can be lost. I have some guys are developing a module AuthenticationHanlder which support authentication via an .NET Web Service. I'm not sure the developer don't insert code for logging the password. So I don't want the plain password can be seen by any one except the user.
I found the Yahoo Mail (https://login.yahoo.com) has encrypted the password by JavaScript before submit. I think we can implement this feature in the CAS. For example, I'm using CAS to perform authentication with ActiveDirectory (AD) in Windows 2003. I will implement a javascript function whose algorithm is same as the AD's one to encrypt the password before submit login form. Then the AuthenticationHanlder will check the received encrypted password match with the hash password in ActiveDirectory. I'm not sure this architecture is feasible. How's about you? Regards, Thach Le -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
