aspose file tools
The moose likes Servlets and the fly likes INTEGRAL vs CONFIDENTIAL Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of Arduino in Action this week in the General Computing forum!

A special promo: Enter your blog post or vote on a blogger to be featured in an upcoming Journal
JavaRanch » Java Forums » Java » Servlets
Reply Bookmark "INTEGRAL vs CONFIDENTIAL" Watch "INTEGRAL vs CONFIDENTIAL" New topic
Author

INTEGRAL vs CONFIDENTIAL

Marcin Cinik
Greenhorn

Joined: Jan 25, 2012
Posts: 5
posted private message
0
Quote
Hello,

I have a question regarding servlet security. In the specification (in XSD) it stands:

A value of INTEGRAL means
that the application requires that the data sent between the
client and server be sent in such a way that it can’t be
changed in transit



CONFIDENTIAL means that the application
requires that the data be transmitted in a fashion that
prevents other entities from observing the contents of the
transmission


My questions:
* does INTEGRAL enforce mutual SSL authentication (so called SSL-client authentication) ? Or does it only indicate that certificate-based one-side server authentication should be conducted
* CONFIDENTIAL - it's pretty clear - when it's off - no encryption (which apparently is not mandatory in SSL), when it's on, encryption is also on - can someone confirm that ?
* is it possible in SSL to have only encryption without cert-based server authentication ? so server's identity is not confirmed by the browser ?
* how can I specify both INTEGRAL and CONFIDENTIAL - user-data-constraint is limited to allow only one transport-guarantee - should I specify 2 user-data-constraint ?





Sujoy Choudhury
Ranch Hand

Joined: Sep 17, 2008
Posts: 132

I like...
Eclipse IDE Ubuntu
posted private message
0
Quote
I don't know the answer but the Servlet specification says:

A user data constraint establishes a requirement that the constrained requests be
received over a protected transport layer connection. The strength of the required
protection is defined by the value of the transport guarantee. A transport
guarantee of INTEGRAL is used to establish a requirement for content integrity
and a transport guarantee of CONFIDENTIAL is used to establish a requirement
for confidentiality. The transport guarantee of “NONE” indicates that the
container must accept the constrained requests when received on any connection
including an unprotected one. A user data constraint consists of the following
element:
■ transport guarantee (transport-guarantee in deployment descriptor)

If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication. If no user data constraint applies to
a request, the container must accept the request when received over any
connection including an unprotected one.


I am also trying to understand this.
If you get to know the answer please update this thread accordingly.
Thanks and Regards,
~Sujoy
Marcin Cinik
Greenhorn

Joined: Jan 25, 2012
Posts: 5
posted private message
0
Quote
Unfortunately up to now I wasn't able to find answers - I'm too busy at the moment to investigate further. Maybe someone else already knows answers ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 35438
    
    9
posted
0
Quote
In practice, both mean the same - SSL is required. That may be more important than what may have been intended when the spec was written :-)

Android appsImageJ pluginsJava web charts
 
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to run our stuff on 16 servers instead of 3.
 
subject: INTEGRAL vs CONFIDENTIAL
 
Similar Threads
Only [auth-method] FORM use session tracking ?
transport-guarantee Confidential
transport-guarantee
How to use https for login only?
BASIC - FORM - DIGEST - CLIENT CERT In Deployment Descriptor