Re: using an applet to verify a user's credentials


<printdude1968@xxxxxxxxx> wrote in message news:1179534958.403058.266510@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| On May 18, 7:50 pm, "TideRider" <4me2k...@xxxxxxxx> wrote:
| > Another issue with trying to use an applet for user authentication is that you
| > are providing, to a greater of lesser degree, account information for all your
| > valid accounts. This is especially a problem if it includes accounts with more
| > potent access rights.
| >
| > Even when your account matrix is on the server, you should take care to keep
| > it secured from attack. Transmitting it in any form to the Internet is just plain reckless.
| >
| > --
| > TideRider
|
| It's an intranet site, not accessible from the outside world. The
| only reason I am wanting to do this is to protect the administrative
| information. There are only a couple of people who should know how to
| do certain things. There are no passwords on the site, nor is there
| anything which is truly destructive, it's a purely informational/how-
| to site. But I would rather restrict access to certain pieces of
| information than to get paged at 3 AM because someone did something by
| accident. I had another thought last night... if I were to code a JSP
| which checks the entered username and password against a database
| table, I might be able to hide more information.

That is the approach I would take. If this is the only thing you need a database table for,
you may also consider an XML file, or even a static data structure, since it doesn't
sound like you need a dynamic list of users.

--
TideRider


.

Relevant Pages

  • Re: Windows service
    ... if you know all of this why you recommend to Rotsey not to use Domain Security? ... It's easily cracked, doesn't have any metering on it to prevent brute force attacks, transmits the credentials to the database in plain-text, and doesn't integrate at all into the standard security infrastructure already being used by the organization. ... There's no default monitoring of the invalid password attempts, no automatic account lock-out, etc. There's a ton of documentation on this found on the web. ... It's one less set of passwords to remember, less configuration in the long run, fewer plain-text passwords floating around in email & config files. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Windows service
    ... you should not use SQL Auth for much of anything these days. ... It's easily cracked, doesn't have any metering on it to prevent brute force attacks, transmits the credentials to the database in plain-text, and doesn't integrate at all into the standard security infrastructure already being used by the organization. ... There's no default monitoring of the invalid password attempts, no automatic account lock-out, etc. There's a ton of documentation on this found on the web. ... It's one less set of passwords to remember, less configuration in the long run, fewer plain-text passwords floating around in email & config files. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Call for LAMP Standardization -- Installations/User-Group Admin
    ... >> passwords, rather than real passwords, in the users table. ... Though actually we use db security, ... The install creates a new local Linux account that will be used by ... >> the PHP pages to authenticate to the database, ...
    (comp.lang.php)
  • Re: integer sequence randomization
    ... I am facing the following problem: I have a database filled with ... thousands of records (tickets) distinguished by ther ID. ... a fairly common method used for user authentication when people sign ... website says go to this page to validate you signed up for an account ...
    (sci.crypt)
  • Re: Intent of the Artists?
    ... I have a folder full ... Try They have a database ... of account names and passwords that other people have created. ...
    (rec.arts.fine)