Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: EXT-Adams, Randall E (Randall.E.Adamsboeing.com)
Date: Mon Sep 07 2009 - 08:52:01 CDT
You are right. Without changing your architecture or requirements you
would have to have the client encrypt the message before sending it
through an untrusted web server.
If you are worried about message integrity you will have to encrypt the
message with one key then create a MAC with another key. You will have
to maintain two sets of public/private keys here.
Maybe OpenSSO is something you would be interested in. Effectively it
allows you to put a servlet filter into your web application that
redirects the user to go log into a separate application server before
being redirected back to your application.
OpenSSO would be a lot of work -- all it really gets you is the ability
to delegate authentication to a different app server. I would rather
support OpenSSO (with all its complexity) than a custom applet-based
From: Chintan Oza [mailto:chintan.ozagmail.com]
Sent: Monday, September 07, 2009 2:04 AM
Subject: Securing password between webserver & appserver.
We have a web application which perform user authentication on
The architecture is like this.
We have a requirement where password should not be available to the
WebServer (even in hashed format).
Only solution that I can think of is having an Applet performing PKI
encryption on the password before submitting the form.
Please suggest if there are any better alternatives.