Gianluca Musella wrote:
I've implemented an AuthenticationInterceptor. If the user isn't
logged then is redirected to a login page to enter credential.
The problem is that from this page user and password are sent in clear
text, as a normal http post.
Is this true? And if yes there is a way to use some type of encription
(something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
It's true if you've implemented it that way; you're asking about your
own code... You can have your login form submit over HTTPS instead of
regular HTTP. Or you can change your interceptor to perform the
necessary challenge/response processing to do basic or digest HTTP
authentication instead of using form-based authentication (note: I'm not
sure if browsers support digest; with basic auth, HTTPS is still
recommended if you want a secure login process.)
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
