You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Gianluca Musella <gi...@gmail.com> on 2008/10/02 13:33:19 UTC
security quest
I've implemented an AuthenticationInterceptor. If the user isn't
logged then is redirected to a login page to enter credential.
The problem is that from this page user and password are sent in clear
text, as a normal http post.
Is this true? And if yes there is a way to use some type of encription
(something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
Thanks
Gianluca
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security quest
Posted by Gianluca Musella <gi...@gmail.com>.
Ok Laurie, I know that the basic authentication is not too much
secure, but is sufficient in the best cases. I think that your
suggestion, to use the container managed security, is absolutely the
best, and I will follow this hint. The original idea of to write an
interceptor capable to communicate with the browser during the basic
auth is to much expansive, and with no better results.
Thank you
Gianluca
2008/10/3 Laurie Harper <la...@holoweb.net>:
> Firstly, HTTP BASIC authentication is only pseudo-secure: credentials are
> sent encoded rather than in plain text, but the encoding is trivially
> reversible. Hence my previous statement that you still need to use HTTPS if
> security is a concern.
>
> That said, if you want to use BASIC authentication, why not go with
> container managed security, which you apparently already know how to use?
> What additional functionality do you need that requires a custom
> interceptor-based implementation?
>
> If you really do need to proceed down that route, you need to have your
> interceptor send the appropriate HTTP 'authentication required' header and
> process the credentials the browser sends in response. A little googling
> should reveal how to implement HTTP authentication in terms of the protocol
> requirements. From there, it's simply a matter of having your interceptor
> conduct the appropriate HTTP dialog.
>
> L.
>
> Gianluca Musella wrote:
>>
>> Than you Pawel,
>>
>> But, if your web container support JAAS, you can configure the
>> login-config tag in your web.xml in this way:
>>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>myRealm</realm-name>
>> </login-config>
>>
>> This cause the browser and the container to share encoded credential
>> in a secure way without https.
>>
>> I want to write my interceptor to act as the container, sharing an
>> encoded copy of the entered credential.
>>
>> That's all. Is this conceptually corrected? And if yes, can someone
>> give me an hint to how to do this work please?
>>
>> Thanks for your time.
>>
>> Gianluca
>>
>>
>> 2008/10/3 Paweł Wielgus <po...@gmail.com>:
>>>
>>> Hi Gianluca,
>>> how would You expect to share credential without https?
>>> Can't You just turn https on for Your login action?
>>> If there is no https, all data are sent in plain text - as far as i know.
>>>
>>>
>>> Best Greetings,
>>> Paweł Wielgus.
>>>
>>> 2008/10/3 gianluca.musella@gmail.com <gi...@gmail.com>:
>>>>
>>>> Ok, i will write a custom interceptor and/or action ho do this, to allow
>>>> browser and server to safely share credential without https, like in
>>>> standard jaas authentication.
>>>>
>>>> I've no idea or how to do. Can someone give me an hint?
>>>>
>>>> Inviato da iPhone
>>>>
>>>> Il giorno 02/ott/08, alle ore 20:59, Laurie Harper <la...@holoweb.net>
>>>> ha
>>>> scritto:
>>>>
>>>>> Gianluca Musella wrote:
>>>>>>
>>>>>> I've implemented an AuthenticationInterceptor. If the user isn't
>>>>>> logged then is redirected to a login page to enter credential.
>>>>>> The problem is that from this page user and password are sent in clear
>>>>>> text, as a normal http post.
>>>>>> Is this true? And if yes there is a way to use some type of encription
>>>>>> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
>>>>>
>>>>> It's true if you've implemented it that way; you're asking about your
>>>>> own
>>>>> code... You can have your login form submit over HTTPS instead of
>>>>> regular
>>>>> HTTP. Or you can change your interceptor to perform the necessary
>>>>> challenge/response processing to do basic or digest HTTP authentication
>>>>> instead of using form-based authentication (note: I'm not sure if
>>>>> browsers
>>>>> support digest; with basic auth, HTTPS is still recommended if you want
>>>>> a
>>>>> secure login process.)
>>>>>
>>>>> L.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>>> For additional commands, e-mail: user-help@struts.apache.org
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: user-help@struts.apache.org
>>>>
>>>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: security quest
Posted by Laurie Harper <la...@holoweb.net>.
Firstly, HTTP BASIC authentication is only pseudo-secure: credentials
are sent encoded rather than in plain text, but the encoding is
trivially reversible. Hence my previous statement that you still need to
use HTTPS if security is a concern.
That said, if you want to use BASIC authentication, why not go with
container managed security, which you apparently already know how to
use? What additional functionality do you need that requires a custom
interceptor-based implementation?
If you really do need to proceed down that route, you need to have your
interceptor send the appropriate HTTP 'authentication required' header
and process the credentials the browser sends in response. A little
googling should reveal how to implement HTTP authentication in terms of
the protocol requirements. From there, it's simply a matter of having
your interceptor conduct the appropriate HTTP dialog.
L.
Gianluca Musella wrote:
> Than you Pawel,
>
> But, if your web container support JAAS, you can configure the
> login-config tag in your web.xml in this way:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>myRealm</realm-name>
> </login-config>
>
> This cause the browser and the container to share encoded credential
> in a secure way without https.
>
> I want to write my interceptor to act as the container, sharing an
> encoded copy of the entered credential.
>
> That's all. Is this conceptually corrected? And if yes, can someone
> give me an hint to how to do this work please?
>
> Thanks for your time.
>
> Gianluca
>
>
> 2008/10/3 Paweł Wielgus <po...@gmail.com>:
>> Hi Gianluca,
>> how would You expect to share credential without https?
>> Can't You just turn https on for Your login action?
>> If there is no https, all data are sent in plain text - as far as i know.
>>
>>
>> Best Greetings,
>> Paweł Wielgus.
>>
>> 2008/10/3 gianluca.musella@gmail.com <gi...@gmail.com>:
>>> Ok, i will write a custom interceptor and/or action ho do this, to allow
>>> browser and server to safely share credential without https, like in
>>> standard jaas authentication.
>>>
>>> I've no idea or how to do. Can someone give me an hint?
>>>
>>> Inviato da iPhone
>>>
>>> Il giorno 02/ott/08, alle ore 20:59, Laurie Harper <la...@holoweb.net> ha
>>> scritto:
>>>
>>>> Gianluca Musella wrote:
>>>>> I've implemented an AuthenticationInterceptor. If the user isn't
>>>>> logged then is redirected to a login page to enter credential.
>>>>> The problem is that from this page user and password are sent in clear
>>>>> text, as a normal http post.
>>>>> Is this true? And if yes there is a way to use some type of encription
>>>>> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
>>>> It's true if you've implemented it that way; you're asking about your own
>>>> code... You can have your login form submit over HTTPS instead of regular
>>>> HTTP. Or you can change your interceptor to perform the necessary
>>>> challenge/response processing to do basic or digest HTTP authentication
>>>> instead of using form-based authentication (note: I'm not sure if browsers
>>>> support digest; with basic auth, HTTPS is still recommended if you want a
>>>> secure login process.)
>>>>
>>>> L.
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: user-help@struts.apache.org
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security quest
Posted by Gianluca Musella <gi...@gmail.com>.
Than you Pawel,
But, if your web container support JAAS, you can configure the
login-config tag in your web.xml in this way:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
This cause the browser and the container to share encoded credential
in a secure way without https.
I want to write my interceptor to act as the container, sharing an
encoded copy of the entered credential.
That's all. Is this conceptually corrected? And if yes, can someone
give me an hint to how to do this work please?
Thanks for your time.
Gianluca
2008/10/3 Paweł Wielgus <po...@gmail.com>:
> Hi Gianluca,
> how would You expect to share credential without https?
> Can't You just turn https on for Your login action?
> If there is no https, all data are sent in plain text - as far as i know.
>
>
> Best Greetings,
> Paweł Wielgus.
>
> 2008/10/3 gianluca.musella@gmail.com <gi...@gmail.com>:
>> Ok, i will write a custom interceptor and/or action ho do this, to allow
>> browser and server to safely share credential without https, like in
>> standard jaas authentication.
>>
>> I've no idea or how to do. Can someone give me an hint?
>>
>> Inviato da iPhone
>>
>> Il giorno 02/ott/08, alle ore 20:59, Laurie Harper <la...@holoweb.net> ha
>> scritto:
>>
>>> Gianluca Musella wrote:
>>>>
>>>> I've implemented an AuthenticationInterceptor. If the user isn't
>>>> logged then is redirected to a login page to enter credential.
>>>> The problem is that from this page user and password are sent in clear
>>>> text, as a normal http post.
>>>> Is this true? And if yes there is a way to use some type of encription
>>>> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
>>>
>>> It's true if you've implemented it that way; you're asking about your own
>>> code... You can have your login form submit over HTTPS instead of regular
>>> HTTP. Or you can change your interceptor to perform the necessary
>>> challenge/response processing to do basic or digest HTTP authentication
>>> instead of using form-based authentication (note: I'm not sure if browsers
>>> support digest; with basic auth, HTTPS is still recommended if you want a
>>> secure login process.)
>>>
>>> L.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>> For additional commands, e-mail: user-help@struts.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>
Re: security quest
Posted by Paweł Wielgus <po...@gmail.com>.
Hi Gianluca,
how would You expect to share credential without https?
Can't You just turn https on for Your login action?
If there is no https, all data are sent in plain text - as far as i know.
Best Greetings,
Paweł Wielgus.
2008/10/3 gianluca.musella@gmail.com <gi...@gmail.com>:
> Ok, i will write a custom interceptor and/or action ho do this, to allow
> browser and server to safely share credential without https, like in
> standard jaas authentication.
>
> I've no idea or how to do. Can someone give me an hint?
>
> Inviato da iPhone
>
> Il giorno 02/ott/08, alle ore 20:59, Laurie Harper <la...@holoweb.net> ha
> scritto:
>
>> Gianluca Musella wrote:
>>>
>>> I've implemented an AuthenticationInterceptor. If the user isn't
>>> logged then is redirected to a login page to enter credential.
>>> The problem is that from this page user and password are sent in clear
>>> text, as a normal http post.
>>> Is this true? And if yes there is a way to use some type of encription
>>> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
>>
>> It's true if you've implemented it that way; you're asking about your own
>> code... You can have your login form submit over HTTPS instead of regular
>> HTTP. Or you can change your interceptor to perform the necessary
>> challenge/response processing to do basic or digest HTTP authentication
>> instead of using form-based authentication (note: I'm not sure if browsers
>> support digest; with basic auth, HTTPS is still recommended if you want a
>> secure login process.)
>>
>> L.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: security quest
Posted by "gianluca.musella@gmail.com" <gi...@gmail.com>.
Ok, i will write a custom interceptor and/or action ho do this, to
allow browser and server to safely share credential without https,
like in standard jaas authentication.
I've no idea or how to do. Can someone give me an hint?
Inviato da iPhone
Il giorno 02/ott/08, alle ore 20:59, Laurie Harper
<la...@holoweb.net> ha scritto:
> Gianluca Musella wrote:
>> I've implemented an AuthenticationInterceptor. If the user isn't
>> logged then is redirected to a login page to enter credential.
>> The problem is that from this page user and password are sent in
>> clear
>> text, as a normal http post.
>> Is this true? And if yes there is a way to use some type of
>> encription
>> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
>
> It's true if you've implemented it that way; you're asking about
> your own code... You can have your login form submit over HTTPS
> instead of regular HTTP. Or you can change your interceptor to
> perform the necessary challenge/response processing to do basic or
> digest HTTP authentication instead of using form-based
> authentication (note: I'm not sure if browsers support digest; with
> basic auth, HTTPS is still recommended if you want a secure login
> process.)
>
> L.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: security quest
Posted by Laurie Harper <la...@holoweb.net>.
Gianluca Musella wrote:
> I've implemented an AuthenticationInterceptor. If the user isn't
> logged then is redirected to a login page to enter credential.
>
> The problem is that from this page user and password are sent in clear
> text, as a normal http post.
>
> Is this true? And if yes there is a way to use some type of encription
> (something similar FORM, NORMAL or DIGEST used in the standard JAAS)?
It's true if you've implemented it that way; you're asking about your
own code... You can have your login form submit over HTTPS instead of
regular HTTP. Or you can change your interceptor to perform the
necessary challenge/response processing to do basic or digest HTTP
authentication instead of using form-based authentication (note: I'm not
sure if browsers support digest; with basic auth, HTTPS is still
recommended if you want a secure login process.)
L.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org