Thank you so much, I will try TLS and see how it goes. On Sat, Mar 12, 2011 at 7:44 PM, Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯 <[email protected]> wrote:
> If you think of cobbling together your own authentication scheme, don't. > You > will make mistakes and introduce weaknesses. Use the established ones, in > decreasing order of preference: > > * TLS, e.g. > <http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol> > * WSSE, e.g. <http://www.xml.com/lpt/a/1337>, CPAN also has some stuff > * RFC 2617's predefined schemes, e.g. > <http://httpd.apache.org/docs/2.0/mod/mod_auth.html>, > <http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html> > > Principally the authn could also be put in the app layer instead of the Web > server layer, but I prefer having it at the Web server because I can more > easily share authn across apps. > > This being REST, Cookies are right out. > > The WSSE article is a bit dated. One fact is not true anymore, the crypto > handshake has been extended to so that certificates do not need their own > IP > any more, i.e. many sites can indeed be hosted at the same server. This is > why > I bumped TLS to the top. > > _______________________________________________ > List: [email protected] > Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst > Searchable archive: > http://www.mail-archive.com/[email protected]/ > Dev site: http://dev.catalyst.perl.org/ > >
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
