-
Notifications
You must be signed in to change notification settings - Fork 9
Tomcat Authentication and Authorization
pieterb edited this page Mar 19, 2012
·
2 revisions
Authentication:
| type | supported | Comments |
|---|---|---|
| Basic | √ | Drawbacks, see below |
| HTTP Digest | √ | |
| Form-based | √ | not suited for batch processing |
| X.509 Certificates | √ | OK for our users |
| OpenID http://openid.net/ | ? | Plays nice with OAuth |
| Open Authentication | ? | Industry standard? |
User databases:
| type | supported | Comments |
|---|---|---|
| file (XML) | √ | |
| LDAP | √ | |
| SQL | √ |
Authorization:
| type | supported | Comments |
|---|---|---|
| OAuth | ? | Plays nice with OpenID |
In an older article Tomcat Security Overview and Analysis we find:
Because the username and password are not encrypted, and the target server's identity is not authenticated by the browser, basic authentication alone is not secure.
You can improve security by using a secure transport mechanism such as HTTPS, or security at the network level such as a VPN.
but:
However, if you switch to HTTP (after authenticating with basic authentication and HTTPS), your browser continues to send your username and password with each subsequent request in cleartext until you exit.