Hi, no offense - but I'd NEVER NEVER EVER send the MD5-ed PW or store an
MD5 hash in the directory. Rather, I regard it paramount to send the
password as-is (through an encrypted channel) and have the directory store
it WITH A SALT value. Furthermore, you should bind against the directory
Hi,
there is actually one more aspect: avoid correctly logged-in users (as
others pointed out before: login on the server with a server session is
required) can manipulate more data than you want them to. Using tamper data
and consorts, you can see what goes back and forth via GWT-RPC.
Hi Joseph,
Did you post that GWT webapp running on Spring Security somewhere? I have
the Spring Security books its major shortcoming is that it doesn't cover
GWT at all. It would be great to have some good comprehensive examples of
GWT using Spring Security.
Thanks,
-Dave
On Saturday,
Hoffer,
I won't be posting that since it is a closed source site and sanitizing it
for release is more than I have time for at the moment. However, while
there are a lot of configuration files in such a setup, it is just vanilla
Spring/GWT/Hibernate for which you can find example projects out
Hi,
See this sample:
https://groups.google.com/forum/?fromgroups=#!topic/google-web-toolkit/fkbowz5-5do
Is integrate with spring security.
Juan
2012/10/30 Joseph Lust lifeofl...@gmail.com
Hoffer,
I won't be posting that since it is a closed source site and sanitizing it
for release is
FYI, I just setup a GWT webapp running on *Spring Security*. *Spring
Security *covers much of the above and more:
- Session Fixation prevention
- Easy to enforce HTTPS channel filters to force parts of site to run on
SSL
- Facilities to persist (totally random) remember me tokens to
On Wednesday, October 24, 2012 2:38:51 PM UTC-4, Manuel Carrasco wrote:
- You could compute and send the MD5 hash of the password instead of the
clear one if the server is storing the password in MD5
This doesn't really work against MITM attacks. As written, the proposal
substitutes a
For a secure GWT application:
- *use SSL for the entire app*
*- check for SSL vulnerabilities and update your server accordingly *
*
*
- use your app servers session id and send it as payload from server to
client during login and then from client to server on each request. On the
server check
On Wednesday, October 24, 2012 5:41:06 AM UTC-4, Flying-w wrote:
I am investigating security considerations around the user login for a GWT
application in respect of the following strategy:
- User enters their id and password in a dialogue;
- Client transmits the login request with
I am investigating security considerations around the user login for a GWT
application in respect of the following strategy:
- User enters their id and password in a dialogue;
- Client transmits the login request with the above details to the
server using RPC;
- Server returns a
Use SSL for Security, never send a clear text user id password over the wire.
If a user navigates away from app then they should log in again.
ed
On Wed, Oct 24, 2012 at 5:41 AM, Flying-w simonjone...@googlemail.com wrote:
I am investigating security considerations around the user login for a
- Use Http-Only cookies so as any eventually injected js does not have
access to the session cookie.
- You could compute and send the MD5 hash of the password instead of the
clear one if the server is storing the password in MD5
On Wed, Oct 24, 2012 at 8:26 PM, Ed ej19...@gmail.com wrote:
Use
12 matches
Mail list logo