Hi stan,
Well yes it does, but when I tried to download it last week, I was refused because
of American Export law because it contains encription. I am in the UK.
Is there a (leagal) way to download the J2EE outside of USA?
Karl
stan - CAST-INFO wrote:
> hi,
>
> I thought that J2EE had HTTPS built-in...
>
> is it not the case?
>
> Karl Roberts wrote:
>
> > Hi
> >
> > Well the bad news is that they do send it unencrypted, imagine my
> > suprise when
> > snooping my own network I was able to catch my userid and password being
> > posted to
> > my Netscape Mail account!
> >
> > As we don't have access to HTTPS yet I am currently working on an
> > encryption
> > class. The Idea is that I have a servlet/JSP display a page with a login
> > applet,
> > The applet would encrypt the login info then base 64 encode it then send
> > it to the
> > login servlet which would reverse the process and decide whether to log
> > the user
> > in.
> >
> > The reason that I want to send the password via HTTP rather than though
> > a custom
> > socket is that user and server may be on the other side of a firewall
> > from each
> > other.
> >
> > The only trouble I'm having at present is how to initialize the applet
> > with it's
> > (unique) encryption key in a secure manner. One idea is to use the
> > session id and
> > IP address of the request which the applet uses to create it's own key
> > on the fly.
> > The servlet would know the same information and would be able to
> > generate it's
> > decrypt key also on the fly. Because the encrytion key is different
> > every time a spy can't just grab your encrypted password and resend it
> > to the login server.
> >
> > The trouble is that once a malicious spy intercepts the applet being
> > sent to the
> > browser, they could conceivably determine the method with which the
> > applet/servlet
> > create their keys and then by reading session info and IP spoofing could
> > decrypt
> > the user id and password.
> >
> > Any better ideas would be welcome. Another idea I had (although I've not
> > pursued
> > it as it would be slow) is to have the servlet compile a new applet with
> > a unique
> > key already in built and send this applet to the user.
> >
> > Karl
> >
> > "Bragg, Casey" wrote:
> >
> > > I'm looking for any ideas on how to communicate a password
> > > (entered into a browser form on a jsp page) to a servlet or bean securely.
> > >
> > > As far as I can tell, on a POST my password text is plainly exposed
> > > (unencrypted) as it traverses HTTP back to the server. This can't be
> > > the norm. How do Yahoo, Excite and others implement this when logging on?
> > >
> > > Thanks in advance for any input.
> > >
> > > Casey
> > >
> > > ===========================================================================
> > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
> > > FAQs on JSP can be found at:
> > > http://java.sun.com/products/jsp/faq.html
> > > http://www.esperanto.org.nz/jsp/jspfaq.html
> >
> > ===========================================================================
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
> > FAQs on JSP can be found at:
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.html
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
