Chapter 14: Tomcat Security Authentication Mechanisms Servlet-based applications
Chapter 14: Tomcat Security Authentication Mechanisms Servlet-based applications have four standards-based authentication mechanisms from which to choose: . BASIC . DIGEST . Form . HTTPS Client Certificate A brief description of these mechanisms follows. We demonstrate their use later in the chapter. BASIC As its name implies, the BASIC authentication mechanism is simplistic. The browser sends base64encoded credentials to the server, which then decodes them and uses them to authenticate the user. This mechanism has two somewhat serious problems: . Base64 encoding is not secure. Base64 is intended as a means of encoding binary data as ASCII data for transmission via protocols that lack support for binary data. It is not a type of secure encryption mechanism. In the case of the BASIC authentication mechanism, base64 is better than sending credentials in plaintext, but not much better. . Browsers cache credentials after authentication. Once a user authenticates, there is no way for the user to log out other than by exiting the browser or if the server times out the session because of inactivity. This disadvantage also applies to the other browser-managed authentication mechanisms, such as DIGEST and HTTPS Client Certificate. Nevertheless, despite its insecurity, BASIC remains a good option for a simple level of security designed to keep out the mindless hordes. When administrators really don t care if the protected resource is compromised, BASIC is not a bad mechanism to use. DIGEST DIGEST is a step up from BASIC. Another browser-based mechanism, DIGEST is very similar to BASIC with the exception that the password is transmitted in a secure fashion. The browser performs a digest on the password (a digest is a one-way hash, as explained shortly) and transmits the digest to the server. The server then digests the password to which the browser-provided password digest will be compared, and if the two match, the authentication is successful. DIGEST is reasonably secure, but it too suffers from two flaws: . In Tomcat, the original password must be stored somewhere in plaintext. This is especially unfortunate when the password is stored in a file, as it can then be viewed by anyone with access to that file on the server machine. (A workaround is possible using file permissions to secure access to the file.) . It has the same cached credential problem that BASIC has. (See the preceding section, BASIC, for details.) A digest, also called a hash, is used to provide proof that a set of data hasn t been nefariously (or unintentionally) altered.
If you looking for unlimited one inclusive web hosting plan please check unlimited web hosting website.