Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

auth-method and transport-guarantee in web.xml

 
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How does auth-method, and transport-guarantee in web.xml work?
What are the differences between these two?

What's going to happen if I do auth-method: DIGEST but I set transport-guarantee: NONE?

Thanks'
 
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
auth-method specifies how authentication is done, i.e. how a user convinces the server who she is. The principal methods are Basic, Digest, Form and Certificate.

transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).

Both concepts are orthogonal, and can be used independently of each other.
 
Smith Li
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply.

I'm interested to know more about how DIGEST works.
If I'm not mistaken, with this approach authentication will be done using MD5?
But if transport-guarantee equals to NONE, then this authentication can still be intercepted in the middle of the network?

Thank you.
 
Ulf Dittmer
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well, if you're really interested in the details, have a look at RFC 2069 and RFC 2617, which define how Basic and Digest authentication works.

SSL has no impact on authentication, because the authentication information is part of the HTTP headers, which are not encrypted by SSL. Yes, the digested password is known if the transmission is intercepted, and could be used for a playback attack. But the password is still secret.
 
Smith Li
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think I understand it more clearly now.
So DIGEST is still doing authentication for the password. The password is still a secret. But transport-guarantee:NONE still keeps the password secret eventhough it can be intercepted.

Thank you Ulf. =)
 
Smith Li
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One thing that I still don't quite understand is
if the password is being authenticated on the client side,
how does the server side know the original password?
 
Ulf Dittmer
Rancher
Posts: 43027
76
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

if the password is being authenticated on the client side,...


It's digested on the client side, but authentication happens on the server.

...how does the server side know the original password?


It doesn't. Computing a digest is an irreversible process, so the server needs to have access to a pre-digested version of the password, in order to compare that to what the client sends.
 
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Ulf Dittmer:
[QB]transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).

QB]



HTTPS -> value of CONFIDENTIAL and INTEGRAL.
 
Smith Li
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the help guys =)
reply
    Bookmark Topic Watch Topic
  • New Topic