The password between server & client is being passed in clear text when SSL is already activated. The security tester is saying that, the password can be seen in network layer. Where, it is secured in the application layer due to SSL. can any one help me regarding this issue??
Asked
Active
Viewed 250 times
0
-
Is tester trying man in the middle attack? – Bimalesh Jha Feb 08 '13 at 09:50
-
3Without information on how you've implemented the SSL (and specifically how you've ensured that the login page and login action use HTTPS), you won't get any real answers. – Feb 08 '13 at 10:03
-
This the configuration made in server.xml...
– gmk Feb 12 '13 at 11:09
1 Answers
0
To prevent this use digest auth http://en.wikipedia.org/wiki/Digest_access_authentication
Read e.g. Spring solutions http://static.springsource.org/spring-security/site/docs/3.0.x/reference/basic.html http://www.jpalomaki.fi/?p=190 http://www.tinhtruong.me/2011/10/spring-security-with-digest.html
StanislavL
- 56,971
- 9
- 68
- 98