Thanks for your feedback.
"Luta, Raphael �(VUN)" <[EMAIL PROTECTED]> wrote: >De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >> >> With the current functionality of jetspeed displaying the >> userid as a component of the url, I was wondering if anyone >> has considered that in and of itself a security weakness. >> With common two-factor authentication (userid and password), >> 50% of this security barrier is disclosed fairly quickly and >> available to anyone interested in "social engineering" or >> even minor shoulder surfing. �Of course, the context of this >> discussion assumes that some confidential information is >> being used or stored in the portal. >> > >This is only partly true. Jetspeed simply allows you to reference >a user-based resource (ie a portal page) by the user id name. >You may achieve the same results not using any exposed user id >by tying resources to roles and/or groups. >Also, there is a security check done by Jetspeed to make sure the >logged-in user has access to user resource specified in the URL. >This enables usage scenarios where users can share their portal >pages with others, if you don't need these kind of features you can >tweak to profiler and URL wrapper classes to remove any explicit >user reference... > >> Interestingly enough, Yahoo shows the userid in the window >> caption bar and Netscape shows user ids in the url. �It would >> appear, however, that Netscape is showing an internally >> generated id for the user (maybe actually the primary key in >> the user table?. >> > >In general, user ids are not considered "secret" since even when they >are not readily available they can be easily guessed by using simple >combinations of a user first name and last name. >Of course, your mileage may vary depending on your environment and >policies in place. > >-- >Rapha�l Luta - [EMAIL PROTECTED] >Jakarta Jetspeed - Enterprise Portal in Java >http://jakarta.apache.org/jetspeed/ > >-- >To unsubscribe, e-mail: � <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
