• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Only [auth-method] FORM use session tracking ?

 
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
From HFB p.647, it said FORM-Based Authentication needs to use SSL or session tracking.

I agree with this since container will use session (either cookie or URL rewriting) to store info to mark that user has been login.

However, I wonder if other authentication methods like:
BASIC
DIGEST
CLIENT-CERT
do not use session ?

If session is not needed for these methods, how the container know the user has been login ? e.g After the user login via BASIC, where is the login info store in the client so that container recognized he is a login user ?
 
Vince Hon
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Could anyone help me about this ?

Thanks
 
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi

Your quote

From HFB p.647, it said FORM-Based Authentication needs to use SSL or session tracking.



I think any of the auth mechanism can use the SSL or session tracking. The FORM based auth send the password in clear text format. It is not encoded or encripted, therefore for security it need some mechanism like SSL. Acually most of the CLIENT-CERT auth are implemented using SSL certs.

The second part of the question about session tracking. I read somewhere that the session tracking with url rewirting is problematic ( what is problem is not mentioned , I remember), so the session tracking using cookie or session tracking bultin into SSL should be used.

This is my understanding. Hope it is correct.

Thanks
 
Ranch Hand
Posts: 250
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,
I think we are mixing two things here Authentication and Session tracking.

I think any of the auth mechanism can use the SSL or session tracking



Sorry but I don't think this is correct. The SSL gives more security because the encryption is good. For example BASIC won't use SSL. Secure socket layer has a built in mechanism which the container can use to track session.

I read somewhere that the session tracking with url rewirting is problematic ( what is problem is not mentioned , I remember), so the session tracking using cookie or session tracking bultin into SSL should be used.



Session tracking can be done using cookie or url rewriting or SSL (which has built in session tracking). The url rewriting is problematic because you have to code a little more as compared to session tracking by cookies. But then it again depends upon your requirement. If the user has cookies disabled then he/she won't be able to access the app and you can see the problem.

Also if you have implemented session tracking by url rewriting and user has cookies enabled{in the browser} then the container{most of them } is intelligent enough to use cookies for session tracking and not url rewriting and if cookies are disabled then container will use url rewriting for session tracking.

SSL come with a little drawback. It makes the app slow because you can see the effort involved in encryption and decryption. that means we can't use SSL always for each request. Most of the time only the login request or the requests that involve sensitive data will use SSL and then the normal request will come into picture.

Hope this helps.
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

So, the statement in HF is true or false?

Your statement

Sorry but I don't think this is correct. The SSL gives more security because the encryption is good. For example BASIC won't use SSL. Secure socket layer has a built in mechanism which the container can use to track session.



suppose I use following elements in the web.xml, what is a type of auth and the SSL mechanism is running on my app server.

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Realm</realm-name>
<loging-config>

<security-constraint>
//other subelements here
<user-data-constraint>
<transport-gurantee>CONFIDENTIAL</tarnsport-gurantee>
</user-data-constraint>
</security-constraint>

......

I think typically for INTEGRAL or CONFIDENTIAL transport SSL is used, but it is not mean that we can not used it with BASIC auth. I think SSL is the underlying layer that satisfy these requirements.


Anyone have more idea please.

Thanks
 
sawan parihar
Ranch Hand
Posts: 250
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I think typically for INTEGRAL or CONFIDENTIAL transport SSL is used



Yes you are right.

I think I didn't get your question. We were talking about authentication methods or the connections. We can always keep the connection on SSL but the basic authentication won't use SSL by itself.Client-Certificate authentication uses HTTP over SSL which provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

On the other hand in case of BASIC or FORM authentication sends the user names and passwords over the Internet as text that is uu-encoded, but not encrypted.

We can always keep the connection over SSL if we want.

Hope I confused everything more.

 
Vince Hon
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If I DON'T use session tracking (no cookie and no URL rewriting) and SSL.

All of these 3 auth-methods:
BASIC
DIGEST
FORM

can be used BUT the website just continuously show up the login page (for FORM method) or popup window to request login (for BASIC and DIGEST) even the username and password are correct, right ?
 
Narendra Dhande
Ranch Hand
Posts: 951
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

can be used BUT the website just continuously show up the login page (for FORM method) or popup window to request login (for BASIC and DIGEST) even the username and password are correct, right ?



Have you tested this. In my testing env I don't have SSL cert. I realy want to know how practically it works. Can you give some more details.

Sawan metioned that the basic and form auth. use uu-encoding. But I don't think the FORM auth use uu-encoding. It is just the plain text.

Very interesting discussion. Plese keep this thread continue.

Thanks
 
sawan parihar
Ranch Hand
Posts: 250
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sawan metioned that the basic and form auth. use uu-encoding. But I don't think the FORM auth use uu-encoding. It is just the plain text.



Yes my mistake. You are right.
reply
    Bookmark Topic Watch Topic
  • New Topic