Authentication - Best practice
Hi all. For the web-application I'm developping, I need the user to authenticate himself. I read tomcat documentation and found the realms. My question is: are there best pratice on how to use realm? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.
RE: Authentication - Best practice
Try http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html for Simple Authentication. Is there any reason why you are going to Realm specifically. If the application security is least of concern then it would be ok. Else it would be better to go for other security soln. Regards Rajaneesh -Original Message- From: VAN DER MARLIERE FREDERIC [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:34 PM To: tomcat-user@jakarta.apache.org Subject: Authentication - Best practice Hi all. For the web-application I'm developping, I need the user to authenticate himself. I read tomcat documentation and found the realms. My question is: are there best pratice on how to use realm? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication - Best practice
What's insecure about using a realm ? Security level is dependant on the realm type (e.g. jdbc/jndi can be used to), no ? -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: 12 January 2005 12:13 To: 'Tomcat Users List' Subject: RE: Authentication - Best practice Try http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html for Simple Authentication. Is there any reason why you are going to Realm specifically. If the application security is least of concern then it would be ok. Else it would be better to go for other security soln. Regards Rajaneesh -Original Message- From: VAN DER MARLIERE FREDERIC [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:34 PM To: tomcat-user@jakarta.apache.org Subject: Authentication - Best practice Hi all. For the web-application I'm developping, I need the user to authenticate himself. I read tomcat documentation and found the realms. My question is: are there best pratice on how to use realm? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication - Best practice
Hi, It uses Base64 for sending the data. Heard that Base64 data is easily compramised compared to SSL. Please correct me if I am wrong. Regards Rajaneesh -Original Message- From: Quinten Verheyen [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:48 PM To: Tomcat Users List Subject: RE: Authentication - Best practice What's insecure about using a realm ? Security level is dependant on the realm type (e.g. jdbc/jndi can be used to), no ? -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: 12 January 2005 12:13 To: 'Tomcat Users List' Subject: RE: Authentication - Best practice Try http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html for Simple Authentication. Is there any reason why you are going to Realm specifically. If the application security is least of concern then it would be ok. Else it would be better to go for other security soln. Regards Rajaneesh -Original Message- From: VAN DER MARLIERE FREDERIC [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:34 PM To: tomcat-user@jakarta.apache.org Subject: Authentication - Best practice Hi all. For the web-application I'm developping, I need the user to authenticate himself. I read tomcat documentation and found the realms. My question is: are there best pratice on how to use realm? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication - Best practice
Ok! I found the link... It is here. java.sun.com/developer/Books/certification/scwcd_9.pdf Regards Rajaneesh -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:57 PM To: 'Tomcat Users List' Subject: RE: Authentication - Best practice Hi, It uses Base64 for sending the data. Heard that Base64 data is easily compramised compared to SSL. Please correct me if I am wrong. Regards Rajaneesh -Original Message- From: Quinten Verheyen [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:48 PM To: Tomcat Users List Subject: RE: Authentication - Best practice What's insecure about using a realm ? Security level is dependant on the realm type (e.g. jdbc/jndi can be used to), no ? -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: 12 January 2005 12:13 To: 'Tomcat Users List' Subject: RE: Authentication - Best practice Try http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html for Simple Authentication. Is there any reason why you are going to Realm specifically. If the application security is least of concern then it would be ok. Else it would be better to go for other security soln. Regards Rajaneesh -Original Message- From: VAN DER MARLIERE FREDERIC [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:34 PM To: tomcat-user@jakarta.apache.org Subject: Authentication - Best practice Hi all. For the web-application I'm developping, I need the user to authenticate himself. I read tomcat documentation and found the realms. My question is: are there best pratice on how to use realm? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication - Best practice
Ah ok, in that case I'm not worried ;-) The security level aimed for should be dependant on the application/client types of the company, there are a lot of (mostly small) companies who do not want more security then HTTP Basic authentication simply because none of the applications they develop need it. ps thank you for the link -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: 12 January 2005 12:29 To: 'Rajaneesh'; 'Tomcat Users List' Subject: RE: Authentication - Best practice Ok! I found the link... It is here. java.sun.com/developer/Books/certification/scwcd_9.pdf Regards Rajaneesh -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:57 PM To: 'Tomcat Users List' Subject: RE: Authentication - Best practice Hi, It uses Base64 for sending the data. Heard that Base64 data is easily compramised compared to SSL. Please correct me if I am wrong. Regards Rajaneesh -Original Message- From: Quinten Verheyen [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:48 PM To: Tomcat Users List Subject: RE: Authentication - Best practice What's insecure about using a realm ? Security level is dependant on the realm type (e.g. jdbc/jndi can be used to), no ? -Original Message- From: Rajaneesh [mailto:[EMAIL PROTECTED] Sent: 12 January 2005 12:13 To: 'Tomcat Users List' Subject: RE: Authentication - Best practice Try http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html for Simple Authentication. Is there any reason why you are going to Realm specifically. If the application security is least of concern then it would be ok. Else it would be better to go for other security soln. Regards Rajaneesh -Original Message- From: VAN DER MARLIERE FREDERIC [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 12, 2005 4:34 PM To: tomcat-user@jakarta.apache.org Subject: Authentication - Best practice Hi all. For the web-application I'm developping, I need the user to authenticate himself. I read tomcat documentation and found the realms. My question is: are there best pratice on how to use realm? Thanks. Fred. Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite.Tout message electronique est susceptible d'alteration. Le CREDIT DU NORD et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. This message and any attachments ( the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited.E-mails are susceptible to alteration. Neither CREDIT DU NORD nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication - Best practice
Rajaneesh wrote: Hi, It uses Base64 for sending the data. Heard that Base64 data is easily compramised compared to SSL. Please correct me if I am wrong. You are not wrong. HTTP Basic authentication uses base64 encoding of user credentials. base64 is encoding, not encrypting. The only thing you need is a program to decode it. UNIX has a freeware utility base64, which can do that. SSL is encryption using asymetric+symetric encryption. Asymetric is used for the initial handshake/negotiation (usually RSA) and symmetric is for the channel traffic encryption (usually 3DES). Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication - Best practice
On Jan 12, 2005, at 12:03, VAN DER MARLIERE FREDERIC wrote: My question is: are there best pratice on how to use realm? RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication http://www.faqs.org/rfcs/rfc2617.html In a nutshell, neither Basic nor Digest offers much in terms of security. That said, Basic is usually good enough for casual access control. An easy way to enhance the security level is to run the above over TLS. Perhaps even leveraging client side certificates if necessary. In any case, the main question is: WYTM? http://iang.org/ssl/wytm.html Cheers, -- PA http://alt.textdrive.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication - Best practice
On Jan 12, 2005, at 13:04, Nikola Milutinovic wrote: SSL is encryption using asymetric+symetric encryption. Asymetric is used for the initial handshake/negotiation (usually RSA) and symmetric is for the channel traffic encryption (usually 3DES). You can also use TLS for authentication purpose with client side certificates. Talking of X509, the Sun JVM comes with an handy (albeit private) package to generate your own self-signed certificates: check sun.security.x509. Here is a pretty much self-contained usage example: http://cvs.sourceforge.net/viewcvs.py/zoe/ZOE/Applications/ZOE/ KeyManager.java?view=markup Which is used by this application: http://zoe.nu/ Cheers, -- PA http://alt.textdrive.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]