Than you Pawel, But, if your web container support JAAS, you can configure the login-config tag in your web.xml in this way:
<login-config> <auth-method>BASIC</auth-method> <realm-name>myRealm</realm-name> </login-config> This cause the browser and the container to share encoded credential in a secure way without https. I want to write my interceptor to act as the container, sharing an encoded copy of the entered credential. That's all. Is this conceptually corrected? And if yes, can someone give me an hint to how to do this work please? Thanks for your time. Gianluca 2008/10/3 Paweł Wielgus <[EMAIL PROTECTED]>: > Hi Gianluca, > how would You expect to share credential without https? > Can't You just turn https on for Your login action? > If there is no https, all data are sent in plain text - as far as i know. > > > Best Greetings, > Paweł Wielgus. > > 2008/10/3 [EMAIL PROTECTED] <[EMAIL PROTECTED]>: >> Ok, i will write a custom interceptor and/or action ho do this, to allow >> browser and server to safely share credential without https, like in >> standard jaas authentication. >> >> I've no idea or how to do. Can someone give me an hint? >> >> Inviato da iPhone >> >> Il giorno 02/ott/08, alle ore 20:59, Laurie Harper <[EMAIL PROTECTED]> ha >> scritto: >> >>> Gianluca Musella wrote: >>>> >>>> I've implemented an AuthenticationInterceptor. If the user isn't >>>> logged then is redirected to a login page to enter credential. >>>> The problem is that from this page user and password are sent in clear >>>> text, as a normal http post. >>>> Is this true? And if yes there is a way to use some type of encription >>>> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)? >>> >>> It's true if you've implemented it that way; you're asking about your own >>> code... You can have your login form submit over HTTPS instead of regular >>> HTTP. Or you can change your interceptor to perform the necessary >>> challenge/response processing to do basic or digest HTTP authentication >>> instead of using form-based authentication (note: I'm not sure if browsers >>> support digest; with basic auth, HTTPS is still recommended if you want a >>> secure login process.) >>> >>> L. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >