File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Which authentication method to use ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Which authentication method to use ?" Watch "Which authentication method to use ?" New topic
Author

Which authentication method to use ?

Sreedevi Vinod
Ranch Hand

Joined: Jan 17, 2005
Posts: 117
hi,

I want to choose an authentication method for my web application. If I use basic authentication, I cannot use a custom login page and its not secure. Form based authentication allows me to use a custom login page, but it is not at all secure. I don't want to use client side certificates since it is expensive and difficult to implement. Is there any other way or do I have to use programmatic security like JAAS ?

Thanks
Devi
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
I don't understand what you mean by

Form based authentication allows me to use a custom login page, but it is not at all secure


-Hellkay
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39535
    
  27
Form auth and Basic auth offer the exact same level of security, they're just implemented differently. Why do you think Basic auth is more secure?

JAAS does not address browser/web app auth - you would need to use web app auth along with it.
[ June 14, 2006: Message edited by: Ulf Dittmer ]

Ping & DNS - updated with new look and Ping home screen widget
Sreedevi Vinod
Ranch Hand

Joined: Jan 17, 2005
Posts: 117
Sorry, I just meant to say that both form and basic authentication methods are not secure. So apart from using client-cert, how can I ensure security ?

Thanks
Devi
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39535
    
  27
There are any number of things you could do, but without knowing in which way you perceive HTTP auth to be insecure, it's hard to recommend one.
Sreedevi Vinod
Ranch Hand

Joined: Jan 17, 2005
Posts: 117
http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security4.html
Here, it says that
"Neither form-based authentication nor HTTP basic authentication is particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. Basic authentication sends user names and passwords over the Internet as text that is uuencoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the username and password information can easily be decoded."
How do you tackle this issue ?

Thanks
Devi
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39535
    
  27
Well, using SSL is quite easy, so that should be a no-brainer.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Which authentication method to use ?
 
Similar Threads
How to implement secure login page
Problem with Custom Challenge Type
How do I secure only my login page? Please help!
SSO: How to secure toplevel Page?!
WAS 4AE and Form based Authentication