Re: Does using Kerberos with Tomcat reduce my security?

Fri, 25 Aug 2006 14:46:32 -0700 

--- "P. Douglas Reeder" <[EMAIL PROTECTED]> wrote:

> After some effort, I've managed to set up a
> JAASRealm that draws its
> account information from our Kerberos server
> (Krb5LoginModule,
> connecting to Open Directory on OS X Server 10.3.9).
> 
> One of the key security properties of Kerberos is
> that passwords are
> never sent over the network, even in encrypted form.
>  However, since
> users interact with Tomcat using HTTP, I think
> passwords are sent in
> the clear, if using Basic authentication and
> encrypted if using Digest
> authentication.  In either case, it would appear
> that I'm not
> preserving the level of security I had with the
> Kerberos setup before.
> 
> So, would it make more sense to use account
> information from our Linux
> machine (JAASRealm with UnixLoginModule), since that
> is sent over the
> network in encrypted form when users login via ssh? 
>  Is Digest
> authentication about as secure as SSH?
> 
> If not, what's the easiest kind of Realm to set up
> which stores
> passwords in an encrypted form, for a half dozen
> users?
> (UserDatabaseRealm is right out.)
> 

Doug,

Can your app use HTTPS instead of HTTP?

If yes, then you can (which you may already know)
add a <transport-guarantee /> element to your app's
web.xml.

-Bob

++++++++

   <security-constraint>
    <web-resource-collection>
     
<web-resource-name>OSUstudent</web-resource-name>
      <description>Student access</description>
      <url-pattern>/student/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the coarse-grained roles
that
        enable a subject to pass the JAAS login stack.
      </description>
      <role-name>OSUActiveStudent</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>This app will use https in the
/student subtree</description>
     
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to