WebApp Sec mailing list archives
RE: Securing password between webserver & appserver.
From: "Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon () ge com>
Date: Wed, 9 Sep 2009 14:14:39 -0400
Don that is an interesting suggestion Do you have more specific information, since I only know that SSL/IPSec can be end-to-end in a per link basis, but the idea of a real End-to-End encryption using SSL, that is the case of Chintan is interesting. Any link or whitepaper on how to do this in Tomcat as you mention? Regards, Juan Carlos -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of bigbert007 Sent: Martes, 08 de Septiembre de 2009 10:34 p.m. To: webappsec () securityfocus com Subject: Re: Securing password between webserver & appserver. Till - great recommendation, I'll expand on it. Depending on the back end app server, there is usually a mechanism in place for creating a trust between the web server and appserver and then encrypting that connection with SSL. When credentials are entered the entire pipe is encrypted from the client > webserver > app server based upon that trust relationship and SSL- encrypted connection Websphere has this option available as does Tomcat. I suspect that Coldfusion and other app servers have something similar. Good luck. Don Till Elsner wrote:
What about securing (i.e. encrypting) the connection between web server and app server itself, like connecting to the app server from the web server via a SSH-forwarded local port? You could keep the original authentication method and have the entire communication encrypted anyway. Greetings Till Am 07.09.2009 um 08:04 schrieb Chintan Oza:Dear All, We have a web application which perform user authentication on id+password basis. The architecture is like this. Browser<-HTTPS->WebServer<-->AppServer We have a requirement where password should not be available to the WebServer (even in hashed format). Only solution that I can think of is having an Applet performing PKI encryption on the password before submitting the form. Please suggest if there are any better alternatives. Thanks, Chintan
Current thread:
- Re: Securing password between webserver & appserver., (continued)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Ali, Saqib (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. Robert Hajime Lanning (Sep 07)
- RE: Securing password between webserver & appserver. EXT-Adams, Randall E (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 07)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- Re: Securing password between webserver & appserver. arvind doraiswamy (Sep 08)
- Re: Securing password between webserver & appserver. Chintan Oza (Sep 07)
- RE: Securing password between webserver & appserver. Ken Schaefer (Sep 07)
- Re: Securing password between webserver & appserver. Till Elsner (Sep 08)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- RE: Securing password between webserver & appserver. Calderon, Juan Carlos (GE, Corporate, consultant) (Sep 09)
- Re: Securing password between webserver & appserver. bigbert007 (Sep 08)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 07)
- RE: Securing password between webserver & appserver. Martin O'Neal (Sep 08)