This week's giveaway is in the Programmer Certification (OCPJP) forum.
We're giving away four copies of Java Mock Exams (software) and have David Mayer on-line!
See this thread for details.
Win a copy of Java Mock Exams (software) this week in the Programmer Certification (OCPJP) forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

How to implement secure login page

 
Ryan Day
Ranch Hand
Posts: 87
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm learning about web app security (SCWCD objectives 5.1, 5.2, 5.3). The HF book says that the data integrity for FORM-based login (using <auth-method> of FORM in the <login-config> tag of the DD) is very weak with no encryption.

So if I want to have a custom login page that is secure, does adding a <user-data-constraint><transport-guarantee> value of CONFIDENTIAL accomplish that?

Also, the BASIC authentication is said to be weak, too, so I guess I should also use <user-data-constraint><transport-guarantee>CONFIDENTIAL</ in that situation.

Why would you ever implement a login without the transport guarantee?
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Strong or weak security are relative to what you are trying to achieve. If you're worried that your IP traffic might be sniffed, then you should use a transport guarantee. But let's say you have an intranet application, and are mainly interested to authenticate your users, then a login without encryption would be sufficient.
 
Happiness is not a goal ... it's a by-product of a life well lived - Eleanor Roosevelt. Tiny ad:
the new thread boost feature: great for the advertiser and smooth for the coderanch user
https://coderanch.com/t/674455/Thread-Boost-feature
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!