Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

doubt regarding security/data integrity from hfsj book ?

 
gurpeet singh
Ranch Hand
Posts: 924
1
Fedora Java Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
please refer hfsj 2nd edition page no. 687. following is step 1 in case of unauthorised client making request to a resource with transport guarantee set to CONFIDENTIAL.


Unauthorized client requests a constrained resource
that has a CONFIDENTIALITY transport guarantee
The Container sees that this
constrained resource has a transport
guarantee. The Container sees that the
request did NOT come in securely...
The Container sends a 301 response to the client, that
tells the browser to redirect the request using a secure connection.


the book shows a diagram where user is making POST request on /BuyStuff.jsp. so initially for the first time the user makes request the payload in POST request goes unencrypted, rigjht ? that means they are visible by the eavesdropper. it is only after the first request does container asks browser to switch to HTTPS over SSL. so for the first time the data/payload is visible. am i missing something ? if i am not then how can we say that the data is protected.(no doubt the login information is secured when user makes the request third time, but what about the payload in POST request)
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2336
86
Android Chrome Eclipse IDE
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so for the first time the data/payload is visible. am i missing something ?

Yes you are right, but up until the request to the BuyStuff.jsp everything is not protected. The BuyStuff.jsp and (probably) the data of subsequent requests afterwards are protected...

The book should maybe have used a GET request to make their point clear (and avoid confusion).

Regards,
Frits
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic