Tossing in my .05: I wouldn't worry about HTTPS performance for regular GetMap or WFS requests. Just set the keepalive to 15 to 30 seconds (3-5 is common for HTTP). With tiling/caching it's obviously a different story.
Digest is better, but keep in mind that it only protects the password, not an established session or the data. -Arne On 11/17/10 5:51 PM, [email protected] wrote: > MD5 protected ?. Do you mean this one > http://en.wikipedia.org/wiki/Digest_access_authentication > > This is definitively better. > > Our did you develop your own mechanism ?. If you did, please add a > salt to the password before hashing, e. g. calculate md5(password > concatenated with username) to prevent dictionary attacks. > > I plan to make the authentication modules pluggable to avoid "nasty" > constructs. > > About https: > The performance penalty depends on the chosen cipher suite between > the client and the server. > For key establishment asymmetric cyphers are used and they are always > expensive. After agreement on the session key, symmetric cyphers are > used, e.g. AES --> fast, 3DES --> not so fast. Be aware that > serving a lot of GIS data is not the same as an online banking. At > the end of the day you have to test in your environment. > > Cheers > Christian > > > > Quoting Jamie Popkin <[email protected]>: > >> Thanks Christian. >> I'm glad to see you're working on porting the authentication to Spring. >> >> I had similar concerns. That's why I moved to a CGI script doing a local >> request. The credentials are passed through a http://localhost:8080 >> call... >> ie. nothing is passed over the internet. I let another (MD5 >> protected) form >> based authentication handle the user's initial login. >> >> I'd like to move to https in the future. That would be even better I >> think. >> >> Jamie >> >> On Wed, Nov 17, 2010 at 2:27 AM, <[email protected]> wrote: >> >>> But you are aware the Basic Authentication does not encrypt the >>> password. >>> The password is base64 encoded which is the same security level as >>> sending >>> passwords in plain text. >>> >>> I am working on such issues, look here >>> http://jira.codehaus.org/browse/GEOS-4215 >>> >>> For the moment I am still waiting for some feedback. >>> >>> >>> >>> Quoting Jamie Popkin <[email protected]>: >>> >>> Thanks Arne. >>>> That's good news for me... It means I'm heading in the right >>>> direction. :) >>>> >>>> I believe I have the format of the cookie correct. I'm starting to >>>> wonder >>>> if >>>> the port number :8080 is tripping up the domain setting of the >>>> cookie??? >>>> That's a shot in the dark though. >>>> >>>> I'm going to start testing different ways of inserting the cookie >>>> into the >>>> browser. I'll post back here with my progress. >>>> >>>> Jamie >>>> >>>> On Tue, Nov 16, 2010 at 1:30 PM, Arne Kepp <[email protected]> >>>> wrote: >>>> >>>> The trick with the "remember me" cookie should work. >>>>> >>>>> Note that the value of the cookie starts and ends with a double >>>>> quote, >>>>> and contains ==. Normally these four characters would be URL escaped >>>>> (%20, %D3), but then acegi will not accept them. So make sure they're >>>>> set exactly like you receive them, I think the cookie is just >>>>> deleted if >>>>> it's rejected. >>>>> >>>>> Technically, the best practice is probably to write acegi / Spring >>>>> Security plugins linked to your frontend application. I found it >>>>> quite >>>>> challenging though. >>>>> >>>>> -Arne >>>>> >>>>> >>>>> On 11/16/10 10:01 PM, Jamie Popkin wrote: >>>>> > I'm trying to access some secured wms services through basic >>>>> authentication. >>>>> > I figured the most secure way to do this was have a cgi script >>>>> grab the >>>>> > "remember me" authentication cookie through a local curl >>>>> request. Then >>>>> have >>>>> > that returned to the user and entered as a cookie. >>>>> > >>>>> > I've been unsuccessful at getting this to work. Can anyone see a >>>>> problem >>>>> > with this set-up? >>>>> > >>>>> > What is the best (and proper) way to authenticate with Geoserver >>>>> and >>>>> then >>>>> > access the protected layers. In particular through OpenLayers? >>>>> It can't >>>>> seem >>>>> > to find any examples that work. >>>>> > >>>>> > Thanks in advance. >>>>> > Jamie >>>>> >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> >>>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>>> Spend less time writing and rewriting code and more time creating >>>>> great >>>>> experiences on the web. Be a part of the beta today >>>>> http://p.sf.net/sfu/msIE9-sfdev2dev >>>>> _______________________________________________ >>>>> Geoserver-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Jamie Popkin >>>> Little Earth >>>> 250 390 6816 >>>> http://littleearth.ca >>>> >>>> >>> >>> >>> ---------------------------------------------------------------- >>> This message was sent using IMP, the Internet Messaging Program. >>> >>> >>> >> >> >> -- >> Jamie Popkin >> Little Earth >> 250 390 6816 >> http://littleearth.ca >> > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
