>from the browser to the server. Once the request is received by the server >encryption/decryption is easy but since browsers have no way of encrypting >the data(you could write something in javascript but it wouldn't be all that >secure since javascript is not a precompiled language) I'm willing to bet >that the actual text sent in the request(over wire) cannot be encrypt. If >anyone does figure out a way to do this it would be interesting to know >(that's a hint to post it here...;).
Well, sure it is possible! And you use JavaScript to do that! Take a look at this page: http://pajhome.org.uk/crypt/md5/ Be warned however, the md5 and sha-1 implemented on that page are not UNICODE-compliant(they dont treat their Strings as UNICODE but as ASCII). I have implemented my own UNICODE version of SHA-1 to hash passwords. The fact that the hashing algorithm will be in plaintext for anyone to read, doesnt make it less secure. The security relies on the strength of the algorithm. That means that even if you can read the Algorithm/Javascript you cannot hack the password. Of course it would be a mistake if you just hash the password and send the hashed password, because then the hacker would just have to send the same hash to login! So instead you take the password and the sessionId(or some random variable sent by the server) and hash them together(on the browser). This hashed value is then send to the server. The server retrieves the password from the database(he will know the username because it is sent in plain text) hashes it together with the sessionId(or the random variable) and compares the two hashes. If they match he knows that the user knows the password. This way the hacker has no chance because the hash value sent over the internet changes for every login. So the idea would be to implement this kind of security with tomcat, then you wouldn't need SSL to hide the password. Roland -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
