[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ajug-members]: 128 bit encryption
If I remember my DevConn security talk from tuesday completely but;
I believe that you can use a custom form with the digestor for the password. But you need to have fields and action that has a specific name. and that it is J2ee standard. And you need to mention this form in the properties file in the security section.
I take poor notes so I do not have it on me but it might be woth your while to look at Devconn notes on security; they are probably linked on AJUG site.
Any body else attended second or correct me?
> Let me add to my explanation. It actually depends on what you want to
> encrypt. If you want to encrypt the entire page, then my explanation
> stands, SSL is the preferred way to encrypt data between a web browser
> (or SOAP client) and the app server.
> If you only need to encrypt the password at that level as it travels
> over the internet, you can use J2EE container-managed DIGEST
> authentication, which hashes only the password using the MD5 algorithm
> to encrypt the password to a 128 bit message digest. The unfortunate
> aspects of this are that a) not all containers support it and b) it
> requires that you log in using a pop-up form rather than your own
> customized HTML form.
> Rob Kischuk wrote:
> > Jason Kretzer/STAR BASE Consulting Inc. wrote:
> >> Is there a way to provide 128 bit encryption in WebSphere or similar
> >> Java application server. I may have need of a login page that
> >> provides this level of encryption.
> >> If not, is there a way to achieve this with other Java related tools?
> > You can do this in Websphere and pretty much any other J2EE app server
> > - it only depends on the underlying HTTP server implementation. To do
> > this right, you'll need to purchase an SSL certificate for the domain
> > that is being secured - this runs $199 a year when purchased from
> > Thawte (http://www.thawte.com). You can generate your own SSL
> > certificate, but that approach makes a warning message appear when
> > users access the site (browsers only implicitly trust a few signing
> > authorities, and when you generate your own, you are acting as the
> > signing authority).
> > -Rob