Java2 SSL works well with servlets (It gets more complicated with JSPs). I have
on Linux an Apache 3.1.12, mod-ssl and open-ssl, RSAref, Tomcat 3.2.1B
configuration and it seems to be stable. In september the RSA patent will expire
and then you will be able to use the above combination even commercially! You
are able to generate a test certificate with Apache itself and get client
certificates for a few $s. I have not managed to make client certificates work
with the latest SSL jar files from SUN yet but they are reasonably good at
fixing Java problems!
IMHO SSL is the only secure way to work on the net! It is also fairly easy to
write a Java2 client which exchanges JSSL encrypted objects (over tunneling
HTTP and a url.connect stream) to a servlet. The encryption strength is
controlled by the standard export laws. In the USA you are able to get the true
128 bit version. There are not many books on how to do this but there is at
least one good book at:
http://www.oreilly.com/ on Java2 encryption and another on security.
You should also read Jason Hunter's book on servlets. I believe that a new
edition will be out soon! Go to:
http://www.servlets.com or again to o'reilly above!
Regards.
Doug Johnston wrote:
> hi all,
>
> I was wondering what the most secure way to log people in was, without
> using SSL. I've taken a look at both the java.net package, and the
> java.security package. They both seem to have some of the functionality that
> I would like, but they dont seem that practical to me. My main goals are: 1)
> authenticate an initial login 2) track the user using sessions. 3) reduce
> overhead by not authenticating on every page reload, so as to not have to
> keep reconnecting to my SQL DB, and check the users validity.
> Here is the (slightly over-complicated) code I am using now). What security
> issues does this present, and how can they be solved. Optimization and other
> functions I could use would also be greatly appreciated.
> Connection con;
> String Username = "";
> String Password = "";
> PrintWriter out = res.getWriter();
> HttpSession session;
> if (req.getSession(false) == null) { // login attempt
> Username = req.getParameter("username");
> Password = req.getParameter("password");
> session = req.getSession(true);
> session.putValue("Username", Username);
> session.putValue("Password", Password);
> }
> else { //already logged in, use sessions
> session = req.getSession(false);
> Username = (String) session.getValue("Username");
> Password = (String) session.getValue("Password");
> }
> if (req.getParameter("username") != null) { // a new login attempt
> before logout
> try {
> con.close();
> }
> catch(Exception e) {
> System.out.println("Database close failed");
> System.out.println(e.toString());
> }
> con = null;
> out.println("resetting");
> Username = req.getParameter("username");
> Password = req.getParameter("password");
> }
>
> Thank-you,
> Doug
>
> ___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
