Yes indeed. That's why I said 'not the most secure' OTOH, the attacker needs to know that the piece of text is the md5 hash... or he just has to try it given 'well known practices' (like md5-hashing passwords ;))
Thanks for the answer On Mon, Oct 19, 2009 at 9:03 AM, Rhett Sutphin <rh...@detailedbalance.net> wrote: > Hi Fabian, > > On Oct 19, 2009, at 6:14 AM, Fabian Mandelbaum wrote: > >> I guess he's using md5 on the client to avoid transmitting the >> password in clear (its md5 hash is transmitted instead). As a side >> effect, this approach may even remove the need for https with basic >> auth >> >> Maybe not the most secure idea but it would work... > > It obscures the user's password-as-entered, but it isn't secure. It > changes the password for the service from X to md5(X) -- any attacker > who sniffs a single request can still impersonate the user. > > Rhett > >> >> On Mon, Oct 19, 2009 at 8:23 AM, Jerome Louvel >> <jerome.lou...@noelios.com> wrote: >>> Hi Laurent, >>> >>> On the client side, I'm not sure why you need to apply MD5 on your >>> password. >>> >>> >>> On the server side, you can just call >>> ServerResource#getChallengeResponse().getIdentifier() and getSecret >>> () to >>> retrieve the values sent by the client. >>> >>> Best regards, >>> Jerome Louvel >>> -- >>> Restlet ~ Founder and Lead developer ~ http://www.restlet.org >>> Noelios Technologies ~ Co-founder ~ http://www.noelios.com >>> >>> >>> -----Message d'origine----- >>> De : Laurent Garrigues [mailto:laur...@speedinfo.fr] >>> Envoyé : mercredi 14 octobre 2009 17:03 >>> À : discuss@restlet.tigris.org >>> Objet : Retrieving Login in a resource >>> >>> hello, >>> >>> >>> I have an application using 'guards' to protect the access of my >>> resources. >>> >>> My guards work well using TestResolver and SecretVerifier. >>> >>> The login and the password are transmitted by the client using a >>> BASIC https >>> authentification : >>> >>> >>> >>> ---------------------------------------------------------------------------- >>> --- >>> >>> /* URI */ >>> >>> ClientResource itemsResource = new >>> >>> ClientResource("https://localhost:8283/json/MDC/create-commande";); >>> >>> /*Protocole,login and password */ >>> >>> String login="LOGIN"; >>> >>> String password = "PASSWORD"; >>> >>> password=new Md5().getMd5(password); >>> >>> >>> itemsResource.setChallengeResponse >>> (ChallengeScheme.HTTP_BASIC,login,password >>> ); >>> >>> ---------------------------------------------------------------------------- >>> ------ >>> >>> >>> Basically, I would like to retrieve the login sent by the client >>> and process >>> it in my resource given that I cannot use session or cookies. >>> >>> Thanks in advance for your help. >>> >>> best regards. >>> >>> >>> >>> Laurent Garrigues >>> >>> ------------------------------------------------------ >>> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=24075 >>> 76 >>> >>> ------------------------------------------------------ >>> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408904 >>> >> >> >> >> -- >> Fabián Mandelbaum >> IS Engineer >> >> ------------------------------------------------------ >> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408912 > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408922 > -- Fabián Mandelbaum IS Engineer ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2408931
