Re: SSL/https - How to configure Tomcat?
From: Sebastian Scheid (mynewsgroup_at_web.de)
Date: 02/05/05
- Next message: A.Tamboer: "Re: Applet and newbie"
- Previous message: Roland: "Re: Context Sensitive Help"
- In reply to: Ryan Stewart: "Re: SSL/https - How to configure Tomcat?"
- Next in thread: Ryan Stewart: "Re: SSL/https - How to configure Tomcat?"
- Reply: Ryan Stewart: "Re: SSL/https - How to configure Tomcat?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 5 Feb 2005 10:41:16 +0100
"Ryan Stewart" <zzanNOtozz@gSPAMo.com> schrieb im Newsbeitrag
news:seCdneHGotUAlJnfRVn-qg@texas.net...
> "Sebastian Scheid" <mynewsgroup@web.de> wrote in message
> news:36hgb5F52g4i9U1@individual.net...
>> "Ryan Stewart" <zzanNOtozz@gSPAMo.com> schrieb im Newsbeitrag
>> news:OdudnRUx_OkJqJ3fRVn-rA@texas.net...
> [...]
>>> SSL is not an authentication method.
>>
>> That's wrong. One aspect of SSL is authentication.
>>
> You mean it's right to say that SSL is an authentication method? I don't
> think I'd agree with that. But if you want to be more specific: SSL is not
> a container managed authentication method.
>
> [...]
>>>> Is SSL security only achieved through <auth-method>FORM</auth-method>
>>>> (i.e. through custom login forms) ONLY?
> [...]
>>> User authentication is not necessary for SSL.
>>
>> But if you WANT authentication, SSL supports it.
>>
> Again, the container supports these forms of authentication. SSL
> authentication is a different concept, though the two may be tied
> together.
Ok, there are different aspects of authentication: BASIC auth is part of
HTTP. The data is encrypted using Base64 which is not secure. The FORM auth
method (part of Servlet Spec?) does not encrypt any data. Plain text is
sent. By enabling SSL ALL traffic is secure. So BASIC and FORM auth still
work the same way as without SSL but cannot be read by others.
The problem with these kinds of authentication is that though the user sends
confidential data over a secure connection he has no guarantee the receiver
(=server) is authentic (=> could be the bad guy's server). Now SSL's
authentication comes to play: SSL uses certificates to authenticate someone
(server or client). Server-Authentication using a certificate gives the user
the guarantee, the server is authentic. Client authentication (over SSL!) is
seldom used.
So, to achieve authentication of the user (=client) SSL doesn't help you (if
you don't want the user to install his own certificate). You can use BASIC
or FORM auth.
If you want to protect the transmission of the user's confidential data, you
have to encrypt it using SSL.
If you want to make the user trust in your server, SSL helps you with
server-authentication.
BTW the last two steps are can be adopted by tomcat, but if you use tomcat
in combination with a webserver like apache, this webserver should care
about SSL.
For further information see the J2EE tutorial
http://java.sun.com/j2ee/1.4/docs/tutorial-update2/doc/Security5.html#wp182253 .
I think you meant this, Ryan. I hope this summarize is correct and helps
Anks building secure webapps :-)
Regards
Sebastian
- Next message: A.Tamboer: "Re: Applet and newbie"
- Previous message: Roland: "Re: Context Sensitive Help"
- In reply to: Ryan Stewart: "Re: SSL/https - How to configure Tomcat?"
- Next in thread: Ryan Stewart: "Re: SSL/https - How to configure Tomcat?"
- Reply: Ryan Stewart: "Re: SSL/https - How to configure Tomcat?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
