perfsonar development work

[Loukik Kudarimoti <>]

Michael Michalis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Hi Loukik,
>
> I'm puzzled about security in the eXist admin servlet(and for any
> servlet to be exact). As you have seen there is log in page in the
> servlet where the user places a user name and password that has admin
> permissions to exist. This credentials are then passed to the servlet
> where they are checked against exist users to see if they are true. If
> so, a session is created with the user credentials and the user can
> continue using the servlet until he has unlogged which in this case
> the session is destroyed.
>
> So there are some security issues here:
>
> 1)The user name and password for the user to be verified are sent
> through an html password field which is not encrypted. This can surely
> cause security problems. In order to encrypt these fields you will
> need to add some scripting in the page, or use https or ssl. The last
> two may require some changes to the server(Tomcat) which can
> complicate things for the service user. The first may require the user
> to enable scripting in his browser. We could also use tomcats
> authentication, like in the properties servlet, but the interface will
> change(Maybe this is the simpler and best solution). Weird enough,
> the  eXist administration servlet that comes along with exist, does
> not use any kind of encryption, in fact it uses a GET method for
> sending the password!(So there could be a security hole in our
> services there...)
>
> 2)For both kinds of servlets we are creating users and changing
> properties that are crucial for the security of our services, like the
> password for the exist user. These information are still send  without
> any encryption to the servlet. In this case the use of scripting or
> ssl are mandatory.(Remarkably enough the native exist web admin does
> not encrypt anything and again uses GET )
>
>
> So how important are these security issues? Do we need to handle them
> right now or they could be left in the future. And if  they need to be
> addressed right away what do you thing the correct solution would
> be?(scripting, SSL or something else?)
>   
Hi Michalis,

You have done a thorough investigation and come up with very good 
points. Good work. I wouldn't worry about them right now because of all 
the resource constraints. Can you file it in bugzilla (Other category) 
and we work on it after this release.
Loukik.
> Best Regards,
>
>
> Michalis Michael
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>  
> iD8DBQFHQUUKoEWq51/Q/40RAt6SAJ464mMbcZogWjJC18uRAyxAWafd7QCgjkqS
> CctKJfV1j7PH+99ekjP5gB0=
> =JHxD
> -----END PGP SIGNATURE-----
>
>   


--

---------------------------------------------------------------
L o u k i k   K u d a r i m o t i

     * *              Network Engineer
   *     *            City House, 126 - 130, Hills Road
  *                   Cambridge CB2 1PQ, United Kingdom
  *                   WWW: http://www.dante.net
D  A  N  T  E          Tel:+44 1223 371300 Fax:+44 1223 371371