• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Which authentication method to use ?

 
Ranch Hand
Posts: 117
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,

I want to choose an authentication method for my web application. If I use basic authentication, I cannot use a custom login page and its not secure. Form based authentication allows me to use a custom login page, but it is not at all secure. I don't want to use client side certificates since it is expensive and difficult to implement. Is there any other way or do I have to use programmatic security like JAAS ?

Thanks
Devi
 
Greenhorn
Posts: 24
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't understand what you mean by

Form based authentication allows me to use a custom login page, but it is not at all secure



-Hellkay
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Form auth and Basic auth offer the exact same level of security, they're just implemented differently. Why do you think Basic auth is more secure?

JAAS does not address browser/web app auth - you would need to use web app auth along with it.
[ June 14, 2006: Message edited by: Ulf Dittmer ]
 
Sreedevi Vinod
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry, I just meant to say that both form and basic authentication methods are not secure. So apart from using client-cert, how can I ensure security ?

Thanks
Devi
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There are any number of things you could do, but without knowing in which way you perceive HTTP auth to be insecure, it's hard to recommend one.
 
Sreedevi Vinod
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security4.html
Here, it says that
"Neither form-based authentication nor HTTP basic authentication is particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. Basic authentication sends user names and passwords over the Internet as text that is uuencoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the username and password information can easily be decoded."
How do you tackle this issue ?

Thanks
Devi
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, using SSL is quite easy, so that should be a no-brainer.
 
Those are the largest trousers in the world! Especially when next to this ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic