Chris, I have posted similar comments on this issues, please search the user and developers list for additional comments and concerns.
Tomcat v4.x has added some "single sign-on" functionality. Can this this be used? Paul Spencer Santiago Gala wrote: > > Chris Kimpton wrote: > > >Hi, > > > >This is in proposal 0005 and seems to be also mentioned in this > >discussion: > > > >http://www.mail-archive.com/[email protected]/msg00704.html > > > >The documentation and discussions seem to imply it has not been > >implemented - is it still a valid item? > > > Nobody supplied patches for it. > > > > >Let me know as I would like this facility for my project - I would > >aim to supply a patch for it. > > > >I would assume that it is an optional feature that is to be turned > >off by default. > > > So, the best thing would be to write a SessionValidator action that > behaves slightly different that the one that we have now. > > - User has an option like Remember me in addition to Name/Password. > - This option makes the system set a (more or less permanent) cookie > that is *not* traceable to the password. It could be a hash of > username/password or else something truly random to be stored as > User.setPerm( ... ) This is due to the incredible amount of security > issues if the password can be deduced from the cookie. Anybody could > fake the cookie and log in as the user. > > - When a session gets validated, if a cookie is present, the Validator > will look what user it belongs to, and log this user in if it equals the > User.getPerm() info. > > An option somewhere to remove the cookie would be interesting also. > > Still, even if the password cannot be retrieved from the cookie, the > cookie can be faked and copied to a different browser to have login. > But, at least, an attempt to change password will be logged. This is > inherently un-secure, but I think that if the password cannot be > retrieved from the cookie, the behaviour can be considered reasonable in > some environments. > > > > > > >Regards, > >Chris > > > >===== > >Need somewhere to Live in London - http://freeflats.com > > > >__________________________________________________ > >Do You Yahoo!? > >NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. > >http://geocities.yahoo.com/ps/info1 > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
