aspose file tools*
The moose likes Security and the fly likes Which authentication method to use ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Which authentication method to use ?" Watch "Which authentication method to use ?" New topic
Author

Which authentication method to use ?

Sreedevi Vinod
Ranch Hand

Joined: Jan 17, 2005
Posts: 117
hi,

I want to choose an authentication method for my web application. If I use basic authentication, I cannot use a custom login page and its not secure. Form based authentication allows me to use a custom login page, but it is not at all secure. I don't want to use client side certificates since it is expensive and difficult to implement. Is there any other way or do I have to use programmatic security like JAAS ?

Thanks
Devi
Kartik Lax
Greenhorn

Joined: Apr 23, 2006
Posts: 24
I don't understand what you mean by

Form based authentication allows me to use a custom login page, but it is not at all secure


-Hellkay
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42285
    
  64
Form auth and Basic auth offer the exact same level of security, they're just implemented differently. Why do you think Basic auth is more secure?

JAAS does not address browser/web app auth - you would need to use web app auth along with it.
[ June 14, 2006: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Sreedevi Vinod
Ranch Hand

Joined: Jan 17, 2005
Posts: 117
Sorry, I just meant to say that both form and basic authentication methods are not secure. So apart from using client-cert, how can I ensure security ?

Thanks
Devi
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42285
    
  64
There are any number of things you could do, but without knowing in which way you perceive HTTP auth to be insecure, it's hard to recommend one.
Sreedevi Vinod
Ranch Hand

Joined: Jan 17, 2005
Posts: 117
http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security4.html
Here, it says that
"Neither form-based authentication nor HTTP basic authentication is particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. Basic authentication sends user names and passwords over the Internet as text that is uuencoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the username and password information can easily be decoded."
How do you tackle this issue ?

Thanks
Devi
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42285
    
  64
Well, using SSL is quite easy, so that should be a no-brainer.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Which authentication method to use ?