Thanks Christian... That makes sense. I'd rather not slow things down. :)
As for the MD5 stuff. Thanks for the input... And agreed... I'm hashing more
then just the password.
On Wed, Nov 17, 2010 at 8:53 AM, <[email protected]> wrote:
> Hi Volker, full acknowledgment :-)
>
> Quoting Volker Grabsch <[email protected]>:
>
> > Jamie Popkin <[email protected]> schrieb:
> >> I'm glad to see you're working on porting the authentication to Spring.
> >>
> >> I had similar concerns. That's why I moved to a CGI script doing a local
> >> request. The credentials are passed through a http://localhost:8080call...
> >> ie. nothing is passed over the internet. I let another (MD5 protected)
> form
> >> based authentication handle the user's initial login.
> >
> > Note that just hashing passwords via MD5 doesn't provide good security,
> > either. If that kind of snake-oil provides a false feeling of security,
> > it actually does more harm than good.
> >
> > Instead, you need HMAC for authentication (which uses MD5 or SHA1 as
> > building block, but does more).
> >
> > Also, note that there's already a standard for that kind of
> authentication,
> > namely HTTP Digest Auth (not to be confused with HTTP Basic Auth) which
> > is suitable for secure authentication over unencrypted channels.
> >
> >> I'd like to move to https in the future. That would be even better I
> think.
> >
> > When using HTTPS, you can indeed use HTTP Basic Auth. But even in that
> > scenario, HTTP Digest Auth has some advantages.
> >
> > I recommend reading the following Wikipedia articles on that topic:
> >
> > http://en.wikipedia.org/wiki/HMAC
> > http://en.wikipedia.org/wiki/Digest_access_authentication
> >
> >
> > Greets,
> > Volker
> >
> > --
> > Volker Grabsch
> > ---<<(())>>---
> >
> >
> ------------------------------------------------------------------------------
> > Beautiful is writing same markup. Internet Explorer 9 supports
> > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> > Spend less time writing and rewriting code and more time creating great
> > experiences on the web. Be a part of the beta today
> > http://p.sf.net/sfu/msIE9-sfdev2dev
> > _______________________________________________
> > Geoserver-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/geoserver-users
> >
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
--
Jamie Popkin
Little Earth
250 390 6816
http://littleearth.ca
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
