Only [auth-method] FORM use session tracking ?

From HFB p.647, it said FORM-Based Authentication needs to use SSL or session tracking.

I agree with this since container will use session (either cookie or URL rewriting) to store info to mark that user has been login.

However, I wonder if other authentication methods like:
BASIC
DIGEST
CLIENT-CERT
do not use session ?

If session is not needed for these methods, how the container know the user has been login ? e.g After the user login via BASIC, where is the login info store in the client so that container recognized he is a login user ?

Could anyone help me about this ?

Thanks

Hi

Your quote

From HFB p.647, it said FORM-Based Authentication needs to use SSL or session tracking.

I think any of the auth mechanism can use the SSL or session tracking. The FORM based auth send the password in clear text format. It is not encoded or encripted, therefore for security it need some mechanism like SSL. Acually most of the CLIENT-CERT auth are implemented using SSL certs.

The second part of the question about session tracking. I read somewhere that the session tracking with url rewirting is problematic ( what is problem is not mentioned , I remember), so the session tracking using cookie or session tracking bultin into SSL should be used.

This is my understanding. Hope it is correct.

Thanks

Hello,
I think we are mixing two things here Authentication and Session tracking.

I think any of the auth mechanism can use the SSL or session tracking

Sorry but I don't think this is correct. The SSL gives more security because the encryption is good. For example BASIC won't use SSL. Secure socket layer has a built in mechanism which the container can use to track session.

I read somewhere that the session tracking with url rewirting is problematic ( what is problem is not mentioned , I remember), so the session tracking using cookie or session tracking bultin into SSL should be used.

Session tracking can be done using cookie or url rewriting or SSL (which has built in session tracking). The url rewriting is problematic because you have to code a little more as compared to session tracking by cookies. But then it again depends upon your requirement. If the user has cookies disabled then he/she won't be able to access the app and you can see the problem.

Also if you have implemented session tracking by url rewriting and user has cookies enabled{in the browser} then the container{most of them } is intelligent enough to use cookies for session tracking and not url rewriting and if cookies are disabled then container will use url rewriting for session tracking.

SSL come with a little drawback. It makes the app slow because you can see the effort involved in encryption and decryption. that means we can't use SSL always for each request. Most of the time only the login request or the requests that involve sensitive data will use SSL and then the normal request will come into picture.

Hope this helps.

Hi,

So, the statement in HF is true or false?

Your statement

Sorry but I don't think this is correct. The SSL gives more security because the encryption is good. For example BASIC won't use SSL. Secure socket layer has a built in mechanism which the container can use to track session.

suppose I use following elements in the web.xml, what is a type of auth and the SSL mechanism is running on my app server.

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Realm</realm-name>
<loging-config>

<security-constraint>
//other subelements here
<user-data-constraint>
<transport-gurantee>CONFIDENTIAL</tarnsport-gurantee>
</user-data-constraint>
</security-constraint>

......

I think typically for INTEGRAL or CONFIDENTIAL transport SSL is used, but it is not mean that we can not used it with BASIC auth. I think SSL is the underlying layer that satisfy these requirements.


Anyone have more idea please.

Thanks

Hello,

I think typically for INTEGRAL or CONFIDENTIAL transport SSL is used

Yes you are right.

I think I didn't get your question. We were talking about authentication methods or the connections. We can always keep the connection on SSL but the basic authentication won't use SSL by itself.Client-Certificate authentication uses HTTP over SSL which provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

On the other hand in case of BASIC or FORM authentication sends the user names and passwords over the Internet as text that is uu-encoded, but not encrypted.

We can always keep the connection over SSL if we want.

Hope I confused everything more.

If I DON'T use session tracking (no cookie and no URL rewriting) and SSL.

All of these 3 auth-methods:
BASIC
DIGEST
FORM

can be used BUT the website just continuously show up the login page (for FORM method) or popup window to request login (for BASIC and DIGEST) even the username and password are correct, right ?

Hi,

can be used BUT the website just continuously show up the login page (for FORM method) or popup window to request login (for BASIC and DIGEST) even the username and password are correct, right ?

Have you tested this. In my testing env I don't have SSL cert. I realy want to know how practically it works. Can you give some more details.

Sawan metioned that the basic and form auth. use uu-encoding. But I don't think the FORM auth use uu-encoding. It is just the plain text.

Very interesting discussion. Plese keep this thread continue.

Thanks

Sawan metioned that the basic and form auth. use uu-encoding. But I don't think the FORM auth use uu-encoding. It is just the plain text.

Yes my mistake. You are right.