• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

auth-method and transport-guarantee in web.xml

 
Rudy Rusli
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How does auth-method, and transport-guarantee in web.xml work?
What are the differences between these two?

What's going to happen if I do auth-method: DIGEST but I set transport-guarantee: NONE?

Thanks'
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
auth-method specifies how authentication is done, i.e. how a user convinces the server who she is. The principal methods are Basic, Digest, Form and Certificate.

transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).

Both concepts are orthogonal, and can be used independently of each other.
 
Rudy Rusli
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply.

I'm interested to know more about how DIGEST works.
If I'm not mistaken, with this approach authentication will be done using MD5?
But if transport-guarantee equals to NONE, then this authentication can still be intercepted in the middle of the network?

Thank you.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, if you're really interested in the details, have a look at RFC 2069 and RFC 2617, which define how Basic and Digest authentication works.

SSL has no impact on authentication, because the authentication information is part of the HTTP headers, which are not encrypted by SSL. Yes, the digested password is known if the transmission is intercepted, and could be used for a playback attack. But the password is still secret.
 
Rudy Rusli
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I understand it more clearly now.
So DIGEST is still doing authentication for the password. The password is still a secret. But transport-guarantee:NONE still keeps the password secret eventhough it can be intercepted.

Thank you Ulf. =)
 
Rudy Rusli
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One thing that I still don't quite understand is
if the password is being authenticated on the client side,
how does the server side know the original password?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if the password is being authenticated on the client side,...

It's digested on the client side, but authentication happens on the server.

...how does the server side know the original password?

It doesn't. Computing a digest is an irreversible process, so the server needs to have access to a pre-digested version of the password, in order to compare that to what the client sends.
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ulf Dittmer:
[QB]transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).

QB]


HTTPS -> value of CONFIDENTIAL and INTEGRAL.
 
Rudy Rusli
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the help guys =)
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic