aspose file tools*
The moose likes Servlets and the fly likes auth-method and transport-guarantee in web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "auth-method and transport-guarantee in web.xml" Watch "auth-method and transport-guarantee in web.xml" New topic
Author

auth-method and transport-guarantee in web.xml

Rudy Rusli
Ranch Hand

Joined: Jun 01, 2006
Posts: 114
How does auth-method, and transport-guarantee in web.xml work?
What are the differences between these two?

What's going to happen if I do auth-method: DIGEST but I set transport-guarantee: NONE?

Thanks'
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
auth-method specifies how authentication is done, i.e. how a user convinces the server who she is. The principal methods are Basic, Digest, Form and Certificate.

transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).

Both concepts are orthogonal, and can be used independently of each other.


Ping & DNS - my free Android networking tools app
Rudy Rusli
Ranch Hand

Joined: Jun 01, 2006
Posts: 114
Thanks for the reply.

I'm interested to know more about how DIGEST works.
If I'm not mistaken, with this approach authentication will be done using MD5?
But if transport-guarantee equals to NONE, then this authentication can still be intercepted in the middle of the network?

Thank you.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
Well, if you're really interested in the details, have a look at RFC 2069 and RFC 2617, which define how Basic and Digest authentication works.

SSL has no impact on authentication, because the authentication information is part of the HTTP headers, which are not encrypted by SSL. Yes, the digested password is known if the transmission is intercepted, and could be used for a playback attack. But the password is still secret.
Rudy Rusli
Ranch Hand

Joined: Jun 01, 2006
Posts: 114
I think I understand it more clearly now.
So DIGEST is still doing authentication for the password. The password is still a secret. But transport-guarantee:NONE still keeps the password secret eventhough it can be intercepted.

Thank you Ulf. =)
Rudy Rusli
Ranch Hand

Joined: Jun 01, 2006
Posts: 114
One thing that I still don't quite understand is
if the password is being authenticated on the client side,
how does the server side know the original password?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
if the password is being authenticated on the client side,...

It's digested on the client side, but authentication happens on the server.

...how does the server side know the original password?

It doesn't. Computing a digest is an irreversible process, so the server needs to have access to a pre-digested version of the password, in order to compare that to what the client sends.
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
Originally posted by Ulf Dittmer:
[QB]transport-guarantee specifies how all traffic is transferred over the wire - either unencrypted via HTTP (value of NONE) or encrypted via HTTPS (value of CONFIDENTIAL).

QB]


HTTPS -> value of CONFIDENTIAL and INTEGRAL.


Rahul Bhattacharjee
LinkedIn - Blog
Rudy Rusli
Ranch Hand

Joined: Jun 01, 2006
Posts: 114
Thanks for the help guys =)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: auth-method and transport-guarantee in web.xml