Hi!
I have been reading lately a lot about serurity system and user
authentication in Geoserver. I know that Geoserver is using Acegi security
system. It allows you to do a lot of great thinks like select what user is
able to see some data and what user is able to modify.
But as far I know it is based on basic HTTP BASIC authentication, and it is
not quite save, and it is not recommended to use this in applications... Am
I right??
My question what is: What is so powerful in Acegi besides creating users,
roll and ability of filtering what data may be seen...
Is there a way to change the HTTP BASIC authentication to something else??
Regards
Poul
--
View this message in context: http://old.nabble.com/Acegi-security-system---question-tp28068813p28068813.html
Sent from the GeoServer - User mailing list archive at Nabble.com.
If you want real security then you must use a TLS/SSL connection (https , with proper certificates ) between the client and the server. Once you have that, http basic is fine too, because the messages are protected by the wrapper.
Switching to digest is by itself not significantly more secure. If an attacker can sniff the packets (which is where basic gets in trouble), s(he) can probably also trick (inject) the client into thinking this is basic and get the plaintext password. This is just one of many attacks, you'll practically find one for every fix that has been added to the protocol.
-Arne
paweluz wrote:
Hi!
I have been reading lately a lot about serurity system and user
authentication in Geoserver. I know that Geoserver is using Acegi security
system. It allows you to do a lot of great thinks like select what user is
able to see some data and what user is able to modify.
But as far I know it is based on basic HTTP BASIC authentication, and it is
not quite save, and it is not recommended to use this in applications... Am
I right?? My question what is: What is so powerful in Acegi besides creating users,
roll and ability of filtering what data may be seen... Is there a way to change the HTTP BASIC authentication to something else??
Regards
Poul