• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Security Authentication Question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security Authentication Question

  • Subject: Security Authentication Question
  • From: "Albert Jagnow" <email@hidden>
  • Date: Fri, 26 Sep 2003 13:30:50 -0500
  • Priority: normal
  • Thread-topic: Security Authentication Question
I am creating an application for an intranet that once deployed will be
accessed from a windows IIS web server talking to the WO application
deployed on a Mac OS X Server(xserve).  I would like to secure this
application so that only certain users have access to the application.
Currently this IIS server is setup so that all users accessing the site
are required to login.  The way it is setup is that a windows group
policy does an auto login (I think it is Kerberos based) to the server
so the user never needs to enter another password.  I would like to keep
it so the users don't need to enter any additional passwords.  I have
already tested that I can determine the current user by looking at
headerForKey("REMOTE_USER").  Would it be sufficient for security for
example if I only wanted user jsmith to access this application, I check
to see if the REMOTE_USER header is jsmith, if not return an error page.
Can anyone see any way to get around this security method?

The only problems I could think of would be: if either someone on the
network setup another web server and impersonated the real web server,
or somehow hacked the real web server and took it over. Is there any
other way to spoof request header information to a WO application?  Does
this seem like a good method of doing security, or would there be a
better way of doing the security and still keep the user from needing to
enter additional passwords?

--Albert


This e-mail (including any attachments) is covered by the Electronic
Communications Privacy Act, 18 USC. 2510-2521. It is confidential and
may be legally privileged. If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited. Please reply to
the sender that you have received the message in error, and then delete
it. Thank you.
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: Bizarre exception using XSLT
  • Next by Date: QT Java
  • Previous by thread: Re: EO_PK_TABLE vs EO_SEQUENCE_TABLE
  • Next by thread: QT Java
  • Index(es):
    • Date
    • Thread