aspose file tools *
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes doubt regarding security/data integrity from hfsj book ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "doubt regarding security/data integrity from hfsj book ?" Watch "doubt regarding security/data integrity from hfsj book ?" New topic
Author

doubt regarding security/data integrity from hfsj book ?

gurpeet singh
Ranch Hand

Joined: Apr 04, 2012
Posts: 924
    
    1

please refer hfsj 2nd edition page no. 687. following is step 1 in case of unauthorised client making request to a resource with transport guarantee set to CONFIDENTIAL.


Unauthorized client requests a constrained resource
that has a CONFIDENTIALITY transport guarantee
The Container sees that this
constrained resource has a transport
guarantee. The Container sees that the
request did NOT come in securely...
The Container sends a 301 response to the client, that
tells the browser to redirect the request using a secure connection.


the book shows a diagram where user is making POST request on /BuyStuff.jsp. so initially for the first time the user makes request the payload in POST request goes unencrypted, rigjht ? that means they are visible by the eavesdropper. it is only after the first request does container asks browser to switch to HTTPS over SSL. so for the first time the data/payload is visible. am i missing something ? if i am not then how can we say that the data is protected.(no doubt the login information is secured when user makes the request third time, but what about the payload in POST request)
Frits Walraven
Creator of Enthuware JWS+ V6
Bartender

Joined: Apr 07, 2010
Posts: 1743
    
  25

so for the first time the data/payload is visible. am i missing something ?

Yes you are right, but up until the request to the BuyStuff.jsp everything is not protected. The BuyStuff.jsp and (probably) the data of subsequent requests afterwards are protected...

The book should maybe have used a GET request to make their point clear (and avoid confusion).

Regards,
Frits
 
Don't get me started about those stupid light bulbs.
 
subject: doubt regarding security/data integrity from hfsj book ?