users@jersey.java.net

Re: [Jersey] DIGEST Authentication with Jersey client

From: Witold Szczerba <pljosh.mail_at_gmail.com>
Date: Wed, 9 Jun 2010 17:09:47 +0200

2010/6/9 Morten <mortench2004_at_yahoo.dk>:
> --- Den tirs 8/6/10 skrev Witold Szczerba <pljosh.mail_at_gmail.com>:
>> As far as I know, BASIC authentication is secure enough
>> when it goes
>> over SSL. It is even better than DIGEST over plain HTTP
>> because SSL
>> protects not only the password, but the content as well.
>
> Except that SSL can't be used in most intranet applications and that SSL is slower.... So NO, SSL is not a golden hammer and a general lifeline for security.
>
> I agree with the point raised that BASIC authentication is dangerous and should be deprecated. Jersey NEEDS to support DIGEST authentication!
>
> /Morten
>

That is all true. More than that - it is quite hard to implement
"logout" functionality when BASIC authentication is used, because
there is no API for browser to forget login credentials, so it keeps
sending it until one restarts the browser. By the way: what do you
mean by SSL can't be used in most intranet applications?

Regards,
Witold Szczerba