cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does SPNego supports DigestLogin Module ?

former_member264773
Explorer

on ‎10-05-2009 11:46 AM

0 Kudos

Hi ,

we have implemented a J2ee standalone portal deployed in SAP WAS. This portal uses domain authentication configured with SPNego.

While configuring SPNego we are using BasicPassword Login moudle as the authentication module but this results us security issue while watching the Http requests in Http Watch tool. The password is visible in base64 encoded format which can be transformed to clear text after decoding.

We planned to use DigestLogin Module which is more secure than BasicPassword Login module but after configuring DigestLogin Module to SPNego , the user is not getting authenticated in SAP WAS.

Could some body help me out resolution for this scenario or let me know whether SPNego supports DigestLogin Module?

Ravi.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member264773
Explorer
‎10-20-2009 1:00 PM
0 Kudos

Hi Michael,

Thanks for your inputs , we already recommended customers to go for https communication chanel for secuirty.Even if you use https communication the IE watch/HTTP watch tool is tracking the password in Base64 encoded format.

As we are using domain authentication, we don't have control on the password.

Regards,

Ravi.

Show replies
Show replies
Former Member
‎10-20-2009 2:12 PM
0 Kudos

Your issue is not completely clear to me. You either logon to the portal with basic authentication, go for https in that case.

Or you authenticate the users with the kerberos ticket (spnego), in that case no password is transmitted at all.

Can you be more specific on the password you see in http watch?

Regards, Michael

former_member264773
Explorer
‎10-21-2009 6:55 AM
0 Kudos

When using IE Watch tool in the Http RequestHeader, i m able to see the password in following header

Authorization Basic cmVxdWVzdGVyOm9wdHVyYQ==

I could see the above header even if i use HTTPs communication.

I couldn't attach any screen shot.

Regards,

Ravi.

Former Member
‎10-21-2009 3:40 PM
0 Kudos

I assume that IEWatch does capture the traffic in the browser before it is encrypted and sent over the network, that is why it is able to show you the data at all. I just did a packet capture with Wireshark and it really looks like the https encryption works perfectly.

Cheers Michael

former_member264773
Explorer
‎10-22-2009 11:36 AM
0 Kudos

Thanks Michael, do you have any recommendations or solutions to avoid this capturing ?

Appreciate your help!!

Regards,

Ravi

Former Member
‎10-22-2009 11:49 AM
0 Kudos

As i said IEWatch is "sitting" in your browser, nobody else on the network can read the password. But malware can off course use the same technique. This can only be avoided by securing your desktop pc's.

- no surfing on warez, porn sites etc

- not working with administrator rights

- no installing of unknown software, no clicking on shady attachments

- using a protection software like antivures, intrusion detection clients, email scanner

Cheers Michael

Former Member
‎10-07-2009 9:53 AM
0 Kudos

Do you only want to prevent the unsafe transmission of the passwort for the initial spnego configuration?

Then why don't use https: https://<your_host>:50001/spnego

Or set the password temporarily and put it back after the configuration.

Regards, Michael

Show replies
Show replies
Ask a Question