Jörn Nettingsmeier wrote:
Jann Forrer wrote:
Jörn Nettingsmeier wrote:
hi!
here are some thoughts about a possible future authentication scheme:
* all passwords are stored as hashes only.
* authentication happens via challenge/response so that no
plaintext-equivalent data travels across the network. this assumes some
client-side javascript code to compute the response (afaik, http digest
is no real alternative because it uses plaintext-equivalent hashes).
* the challenge changes all the time, so that replay attacks don't work.
+1
* additionally, we come up with some neat documentation about how to
enforce ssl connections for authoring and live ac login.
Is that documentation already online. I am very much interested in it.
We did also enforce SSL by using a separate RewriteRule. Do you use
anothter aproach?
no. i haven't implemented ssl on our lenya test server yet, but for a
wiki i use a
RedirectMatch http://my.server/wiki/* https://my.server/wiki/$1
We use:
RewriteCond %{QUERY_STRING} lenya\.usecase=login(.*)
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
BTW the securty stuff become even more important if you use e.g. an
ldap server for authentication where users use account which are not
only used for cms login!
which is what i'm ultimately aiming at: single sign-on via ldap with a
samba domain controller.
speaking of ldap: does anyone know how the current ldap implementation
works? jwkaltz?
does it use an ldap auth mechanism, or is the password transferred from
the ldap server in plaintext and the lenya servlet does the authentication?
By default the the Context.SECURITY_AUTHENTICATION is set to simple i.e
clear-text password. However you can define the security protocol as
SSL: security-protocol=ssl
The following link may help
http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html
Jann
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
