If you think of cobbling together your own authentication scheme, don't. You will make mistakes and introduce weaknesses. Use the established ones, in decreasing order of preference:
* TLS, e.g. <http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol> * WSSE, e.g. <http://www.xml.com/lpt/a/1337>, CPAN also has some stuff * RFC 2617's predefined schemes, e.g. <http://httpd.apache.org/docs/2.0/mod/mod_auth.html>, <http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html> Principally the authn could also be put in the app layer instead of the Web server layer, but I prefer having it at the Web server because I can more easily share authn across apps. This being REST, Cookies are right out. The WSSE article is a bit dated. One fact is not true anymore, the crypto handshake has been extended to so that certificates do not need their own IP any more, i.e. many sites can indeed be hosted at the same server. This is why I bumped TLS to the top.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
