Raphaël Luta wrote:
> At 01:32 22/02/2001 +0000, you wrote:
>
>> On Wed, Feb 21, 2001 at 02:10:59PM -0400, Diethelm Guallar, Gonzalo
>> wrote:
>> > > > (Like, possibly, why this is not the default mechanism, I'm
>> guessing
>> > there
>> > > > is a good reason).
>> > >
>> > > Cause it is ugly to have the browser present a dialog people have
>> to fill
>> > > out. People like websites with a nice form in it.
>> >
>> > Are there any advantages to using HTTP to authenticate?
>> > I'm guessing maybe HTTP will encrypt the user/password
>> > combination, unlike a form, which will send the fields
>> > unencrypted. If this is the case, how good is the HTTP
>> > encryption?
>>
>> No, HTTP doesn't encrypt - no advantage.
>
>
> Unless your webserver uses client certificate authentication for
> example... ;-)
>
> HTTP Authorization is a pluggable mechanism and you can have very
> nice secure authentication schemes using things like mod_ssl or single
> sign-on products like SiteMinder.
> Sure, it's usually possible to reimplement the same scheme with applicative
> forms, but why do you want to reimplement this ?
> IMO, Container level authentication is the way to go, the application
> should
> only deal with authorization.
>
Also, sorry if I arrive late here, you can choose form-based authentication by just
configuring tomcat.
See http://localhost:8080/examples/jsp/security/protected with tomcat on
+1 with Raphaël. The servlet container should deliver us our
java.security.Principal object, after the siteadmin configures how to
authenticate users (NT security, SSL, forms, digest, LDAP, ...)
depending on customer policies.
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
