Ok, i will write a custom interceptor and/or action ho do this, to
allow browser and server to safely share credential without https,
like in standard jaas authentication.
I've no idea or how to do. Can someone give me an hint?
Inviato da iPhone
Il giorno 02/ott/08, alle ore 20:59, Laurie Harper
<[EMAIL PROTECTED]> ha scritto:
Gianluca Musella wrote:
I've implemented an AuthenticationInterceptor. If the user isn't
logged then is redirected to a login page to enter credential.
The problem is that from this page user and password are sent in
clear
text, as a normal http post.
Is this true? And if yes there is a way to use some type of
encription
(something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
It's true if you've implemented it that way; you're asking about
your own code... You can have your login form submit over HTTPS
instead of regular HTTP. Or you can change your interceptor to
perform the necessary challenge/response processing to do basic or
digest HTTP authentication instead of using form-based
authentication (note: I'm not sure if browsers support digest; with
basic auth, HTTPS is still recommended if you want a secure login
process.)
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
