Yeah, 1 is the way to go. Forget about 2, it creates a security breach.
For roadmap, we use Jira, and you can vote for using it. The wheel already exists ;) On 3/10/07, Ole Ersoy <[EMAIL PROTECTED]> wrote:
Short answer: I think 1 Longer answer/example: Tomcat Authentication User requests password page and provides credentials. Browser encrypts post and sends it. Tomcat ssl decrypts. Authentication is then performed on the authentication store (ADS possibly). So I think the network usually takes care of securing itself, when needed. I would probably leave 2 as "possible feature" and post it on our roadmap so that users can vote on it. I'll try to create a "Dell IdeaStorm" page for our road map later so that features can be voted for. Cheers, - Ole Emmanuel Lecharny wrote: > Hi guys, > > I have a doubt, may be you have a clear vision about this point : > > is it the server responsability to compare the user's password against > an encrypted form or should the client encrypt the password before > sending it to the server ? > > I mean, we can have one of those two possibilities : > 1) [client] --(clear password)--> <network> --> [server] --> encrypt > the password and compares it to the stored encrypted password > or > 2) [client] --(encrypt password)--> <network> [server] --> compares > the encrypted password and compares it to the stored encrypted password > > ? > > Emmanuel > > PS : we have solution 1 currently implemented. Is it correct ? >
-- Cordialement, Emmanuel Lécharny www.iktek.com
