[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ajug-members]: 128 bit encryption

To: ajug-members@ajug.org
Subject: Re: [ajug-members]: 128 bit encryption
From: pervaz@att.net
Date: Fri, 21 May 2004 19:38:43 +0000
Cc: Rob Kischuk <rkischuk@gttx.org>, ajug-members@ajug.org

If I remember my DevConn security talk from tuesday completely but;

I believe that you can use a custom form with the digestor for the password. But you need to have fields and action that has a specific name. and that it is J2ee standard. And you need to mention this form in the properties file in the security section.

I take poor notes so I do not have it on me but it might be woth your while to look at Devconn notes on security; they are probably linked on AJUG site.

Any body else attended second or correct me?

Pervaz


> Let me add to my explanation.  It actually depends on what you want to 
> encrypt.  If you want to encrypt the entire page, then my explanation 
> stands, SSL is the preferred way to encrypt data between a web browser 
> (or SOAP client) and the app server.
> 
> If you only need to encrypt the password at that level as it travels 
> over the internet, you can use J2EE container-managed DIGEST 
> authentication, which hashes only the password using the MD5 algorithm 
> to encrypt the password to a 128 bit message digest.  The unfortunate 
> aspects of this are that a) not all containers support it and b) it 
> requires that you log in using a pop-up form rather than your own 
> customized HTML form.
> 
> -Rob
> 
> Rob Kischuk wrote:
> 
> > Jason Kretzer/STAR BASE Consulting Inc. wrote:
> >
> >>
> >> Is there a way to provide 128 bit encryption in WebSphere or similar 
> >> Java application server.  I may have need of a login page that 
> >> provides this level of encryption.
> >>
> >> If not, is there a way to achieve this with other Java related tools?
> >
> >
> > You can do this in Websphere and pretty much any other J2EE app server 
> > - it only depends on the underlying HTTP server implementation.  To do 
> > this right, you'll need to purchase an SSL certificate for the domain 
> > that is being secured - this runs $199 a year when purchased from 
> > Thawte (http://www.thawte.com).  You can generate your own SSL 
> > certificate, but that approach makes a warning message appear when 
> > users access the site (browsers only implicitly trust a few signing 
> > authorities, and when you generate your own, you are acting as the 
> > signing authority).
> >
> > -Rob
> 
>

Prev by Date: Re: [ajug-members]: Java 1.4 certification exam
Next by Date: Bruce Bowles/ADV/IT/AJC/US is out of the office.
Prev by thread: Re: [ajug-members]: Java 1.4 certification exam
Next by thread: Bruce Bowles/ADV/IT/AJC/US is out of the office.
Index(es):
- Date
- Thread