Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within OCPJWCD Search Coderanch
Advance search Google search
Register / Login
thread boost advertise on coderanch polymorphism book review grid granny
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
book review grid meaningless drivel thread boost building better world book advertise on coderanch
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Form based authentication

 
shankar valiinaykam
Greenhorn
Posts: 23
posted 19 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi,

P-700; Q-1 says Form based authentication is recommended only if cookies or SSL session tracking is enabled. Why is it like this, when URL rewriting is there to save us?

In security roles, i find one combination missing. If two security constraints are there for same resource as "*" and nobody <auth-constraint/> then who rules? Is it "everybody" or "nobody"?
My guess is : Nobody. Somebody, plz confirm.

Thanks,
Shankar
 
shankar valiinaykam
Greenhorn
Posts: 23
posted 19 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Oooops!!! I wanted to write P-667 and Q-9.
 
Daniel Spaethe
Greenhorn
Posts: 15
posted 19 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
From my understanding, the reason they indicate that form based authentication should only be used wihen SSL session tracking is enabled is that out of the 4 types, BASIC, CLIENT-CERT, DIGEST and FORM, FORM is the least secure. The other 3 types provide at least some type of encryption.


As for your other qustion, an empty <auth-constraint/> tag will combine with anything else and will allow "nobody".

Dan

SCJP 5.0<br />SCJP 1.4<br />SCWCD 1.4<br />SCBCD 1.3

 
Daniel Spaethe
Greenhorn
Posts: 15
posted 19 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Sorry, meant to say that the FORM is the least secure of all:
BASIC - is encoded, but not encrypted. base 64
DIGEST - not widley used.. but more secure than BASIC
CLIENT-CERT - clients need a certificate on their side.
FROM - least secure of all 4

SCJP 5.0<br />SCJP 1.4<br />SCWCD 1.4<br />SCBCD 1.3

 
jQuery in Action, 3rd edition
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...