De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > With the current functionality of jetspeed displaying the > userid as a component of the url, I was wondering if anyone > has considered that in and of itself a security weakness. > With common two-factor authentication (userid and password), > 50% of this security barrier is disclosed fairly quickly and > available to anyone interested in "social engineering" or > even minor shoulder surfing. Of course, the context of this > discussion assumes that some confidential information is > being used or stored in the portal. >
This is only partly true. Jetspeed simply allows you to reference a user-based resource (ie a portal page) by the user id name. You may achieve the same results not using any exposed user id by tying resources to roles and/or groups. Also, there is a security check done by Jetspeed to make sure the logged-in user has access to user resource specified in the URL. This enables usage scenarios where users can share their portal pages with others, if you don't need these kind of features you can tweak to profiler and URL wrapper classes to remove any explicit user reference... > Interestingly enough, Yahoo shows the userid in the window > caption bar and Netscape shows user ids in the url. It would > appear, however, that Netscape is showing an internally > generated id for the user (maybe actually the primary key in > the user table?. > In general, user ids are not considered "secret" since even when they are not readily available they can be easily guessed by using simple combinations of a user first name and last name. Of course, your mileage may vary depending on your environment and policies in place. -- Rapha�l Luta - [EMAIL PROTECTED] Jakarta Jetspeed - Enterprise Portal in Java http://jakarta.apache.org/jetspeed/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
