Short answer:
I think 1
Longer answer/example:
Tomcat Authentication
User requests password page and provides credentials.
Browser encrypts post and sends it.
Tomcat ssl decrypts.
Authentication is then performed on the
authentication store (ADS possibly).
So I think the network usually takes care of securing itself, when needed.
I would probably leave 2 as "possible feature" and post it on our roadmap
so that users can vote on it.
I'll try to create a "Dell IdeaStorm" page for our road map later so that
features can be voted for.
Cheers,
- Ole
Emmanuel Lecharny wrote:
Hi guys,
I have a doubt, may be you have a clear vision about this point :
is it the server responsability to compare the user's password against
an encrypted form or should the client encrypt the password before
sending it to the server ?
I mean, we can have one of those two possibilities :
1) [client] --(clear password)--> <network> --> [server] --> encrypt
the password and compares it to the stored encrypted password
or
2) [client] --(encrypt password)--> <network> [server] --> compares
the encrypted password and compares it to the stored encrypted password
?
Emmanuel
PS : we have solution 1 currently implemented. Is it correct ?
