Hi Volker, full acknowledgment :-) Quoting Volker Grabsch <[email protected]>:
> Jamie Popkin <[email protected]> schrieb: >> I'm glad to see you're working on porting the authentication to Spring. >> >> I had similar concerns. That's why I moved to a CGI script doing a local >> request. The credentials are passed through a http://localhost:8080 call... >> ie. nothing is passed over the internet. I let another (MD5 protected) form >> based authentication handle the user's initial login. > > Note that just hashing passwords via MD5 doesn't provide good security, > either. If that kind of snake-oil provides a false feeling of security, > it actually does more harm than good. > > Instead, you need HMAC for authentication (which uses MD5 or SHA1 as > building block, but does more). > > Also, note that there's already a standard for that kind of authentication, > namely HTTP Digest Auth (not to be confused with HTTP Basic Auth) which > is suitable for secure authentication over unencrypted channels. > >> I'd like to move to https in the future. That would be even better I think. > > When using HTTPS, you can indeed use HTTP Basic Auth. But even in that > scenario, HTTP Digest Auth has some advantages. > > I recommend reading the following Wikipedia articles on that topic: > > http://en.wikipedia.org/wiki/HMAC > http://en.wikipedia.org/wiki/Digest_access_authentication > > > Greets, > Volker > > -- > Volker Grabsch > ---<<(())>>--- > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today > http://p.sf.net/sfu/msIE9-sfdev2dev > _______________________________________________ > Geoserver-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/geoserver-users > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
