> OK, I should have mentioned that I planned to use SSL. But even with SSL, isn't it
> quite easy for a hacker to connect to my web site, perform the SSL handshake, guess a
> valid serial number and include it as a cookie in the following requests? If the
> serial numbers are easily guessable, whatever password constraint you enforce,
> accessing protected resources is a piece of cake, isn't it?
SSL doesn't make cookies more secure.
If I have access to your Web browser I can easily grab the cookie from
it, then open up my SSL connection to the server and use that cookie.
Stealing the cookie from your machine is far easier that guessing the
cookie.
Security always breaks at the weakest point. If the weakest point is the
ease of stealing a cookie, it doesn't matter how hard/easy it is to
guess it.
> OK, here again, I chose a bad example. I know that checking the IP address is not a
> good idea. But it would be nice if I could customize the way the serial number is
> generated, or renew it after x requests from that user.
AFAIK if you are running SSL then SSL takes care of the session for you
using SSL capabilities, which means you get better support than what you
had in mind doing with cookies.
> That really sucks, IMO. So if you want to have security in your web server AND in
>your
> EJB server, you're forced to use either a non-customizable form-based mechanism which
> seems not to be secure enough, either SSL with client authentication, which requires
>a
> lot more work, a certificate for each client, etc. Since the container must have a
>way
> to associate a Principal to the current thread, it should not be too hard to add a
> method to allow the code itself to do that. This is also necessary if you want to
> access a bean from your servlet with the user identity, and another bean with an
> administrator's identity. Hope JAAS will solve this.
Hopefully.
arkin
>
> >
> > > Five: if I still want to use the declarative form-based authentication, but also
> > > want the users to be able to enroll themselves (choose a user ID and password),
> > > how can I insert a new user in the user database and map him to some roles?
> >
> > The specs definitely does not define that. You need to use some
> > proprietary mechanism to add/remove users which is compatible with what
> > you use to authenticate them.
> >
> > (I know. It sucks big time. You are not the first to say "well, how do I
> > update this thing?")
> >
>
> Good not to feel alone :-)
>
> Thanks again.
>
> JB.
>
> >
> > > The authentication part, though enhanced in the latest specs, is still full of
> > > big holes, unless I missed a big part. So if you could tell me what you think,
> > > or what you know from different products, this would be nice.
> >
> > It's more like a doughnut :-)
> >
> > arkin
> >
> > >
> > > Thanks.
> > > JB.
> > >
> > > --
> > > Jean-Baptiste Nizet
> > > [EMAIL PROTECTED]
> > >
> > > R&D Engineer, S1 Belgium
> > > Excelsiorlaan 87
> > > B-1930 Zaventem
> > > +32 2 714 45 42
> > >
> > > ===========================================================================
> > > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > > of the message "signoff EJB-INTEREST". For general help, send email to
> > > [EMAIL PROTECTED] and include in the body of the message "help".
> >
> > ===========================================================================
> > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> > of the message "signoff EJB-INTEREST". For general help, send email to
> > [EMAIL PROTECTED] and include in the body of the message "help".
>
> --
> Jean-Baptiste Nizet
> [EMAIL PROTECTED]
>
> R&D Engineer, S1 Belgium
> Excelsiorlaan 87
> B-1930 Zaventem
> +32 2 714 45 42
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff EJB-INTEREST". For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".
--
----------------------------------------------------------------------
Assaf Arkin www.exoffice.com
CTO, Exoffice Technologies, Inc. www.exolab.org
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
