Re: [Juglist] too few warnings among us about bad code -- was about HTTP authentication

Hugh Allen Sat, 10 Apr 2004 08:51:30 -0700

I never considered HTTP authentication for my web app, for the reasons you describe, based on what I learned in Sang Shin's J2EE course, available for FREE at:

http://www.javapassion.com/j2ee/

You may want to review the Sun Java Web Services Tutorial at:

http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security4.html#67530

and the J2EE 1.4 Tutorial at:

http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html

------------------------------------------------------
Authenticating Users of Web Resources

When you try to access a protected Web resource, the Web container activates the authentication mechanism that has been configured for that resource. You can configure the following authentication mechanisms for a Web resource:

HTTP basic authentication
Form-based authentication
Client-certificate authentication

Basic Authentication

If you specify HTTP basic authentication, the Web server will authenticate a user by using the user name and password obtained from the Web client.

Form-Based Authentication

If you specify form-based authentication, you can customize the login screen and error pages that are presented to the end user by an HTTP browser.

Neither form-based authentication nor HTTP basic authentication is particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. Basic authentication sends user names and passwords over the Internet as text that is uuencoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the username and password information can easily be decoded.

------------------------------------------------------

It appears that Form-based authentication, when combined with SSL, is flexible and does not expose passwords or messages in plain text. This is what I plan to use for my production environment, but I haven't gotten the SSL cert yet.

My experience is that there are literally HUNDREDS of potential gotchas in building a robust web-app and a LOT of R&D is required. I am using Apache, JBoss/Jetty, Struts, MySQL, JSPs, Session and Entity EJBs, HTML, _javascript_, Javamail, ..... Integrate all of these successfully is a steep learning curve.

Hugh Allen
DesignTec Software, L.L.C.

At 10:11 AM 4/10/2004, you wrote:

I have recently spent about a week trying to make HTTP authentication work satisfactorily in my web app. I am beginning to think that the wise thing to do is sidestep HTTP authentication. Probably I need to write my own authentication procedures instead.

This raises another subject which I think is important: Why didn't someone warn me about the morass I was about to step into before I went ahead and stepped into it? For some reason we give each other too few warnings about bad code and immature technologies. I do not know the answer but I write now to raise this subject.

None of the documentation which I have found about HTTP authentication has suggested to me that I should avoid it. Most of the documentation seems to imply that it works as advertised.

Libertarians (of which I consider myself one) like to cite the Underwriters Laboratory (UL) as an example of a voluntarily formed standards organization. As the story is told, the manufacturers of electrical appliances understood that they needed standards for safety, and so they formed an organization to police themselves. They grant the UL seal of approval only to appliances which meet their standards.

We really need a UL of software.

I can speculate about why our media remain so silent about unusable code. It could be that we are organized (although informally and unconsciously for the most part) against a common foe, and that we dare speak no evil about the works among us for fear that will weaken our organization against the greater danger. But I am just guessing.

Rich Hammer

Christopher L Merrill wrote:

Richard O. Hammer wrote:

Do very few Java web apps use HTTP-based authentication because it so flaky as to be almost useless for any serious application?
IMO, yes. This is not limited to java-based web apps. We see
a lot of different types of apps (JSP, ASP, Cold Fusion, Oracle,
etc) from our customers and HTTP-based auth is pretty rare.

_______________________________________________
Juglist mailing list
[EMAIL PROTECTED]
http://trijug.org/mailman/listinfo/juglist_trijug.org

--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.656 / Virus Database: 421 - Release Date: 4/9/2004
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org

Previous message

View by thread

View by date

Next message

[Juglist] HttpServletRequest.getRemoteUser() and Htt... Richard O. Hammer

Re: [Juglist] HttpServletRequest.getRemoteUser(... Andrew Oliver

Re: [Juglist] HttpServletRequest.getRemoteUser(... Lee Haslup

Re: [Juglist] HttpServletRequest.getRemoteU... Richard O. Hammer

Re: [Juglist] HttpServletRequest.getRem... Christopher L Merrill

Re: [Juglist] HttpServletRequest.ge... Richard O. Hammer

Re: [Juglist] HttpServletReque... Christopher L Merrill

Re: [Juglist] HttpServletR... Erik Hatcher

[Juglist] too few warnings... Richard O. Hammer

[Juglist] Re: HTTP aut... Hugh Allen

[Juglist] Re: HTTP aut... Richard O. Hammer

Re: [Juglist] Re: HTTP... Andrew Oliver

Re: [Juglist] Re: HTTP... Henri Yandell

Re: [Juglist] Re: HTTP... Erik Hatcher

Re: [Juglist] Re: HTTP... Andrew Oliver

Re: [Juglist] Re: HTTP... Christopher L Merrill

Re: [Juglist] Re: HTTP... Don Brady

Re: [Juglist] too few ... Andrew Oliver

Re: [Juglist] too few ... Don Brady

Re: [Juglist] HttpServletRequest.getRem... Andrew Oliver

Reply via email to