Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Web Application Security
Securing password between webserver & appserver. Sep 07 2009 06:04AM
Chintan Oza (chintan oza gmail com) (7 replies)
Re: Securing password between webserver & appserver. Sep 08 2009 11:58PM
Till Elsner (Till Elsner uni-duesseldorf de) (1 replies)
Re: Securing password between webserver & appserver. Sep 09 2009 03:34AM
bigbert007 (bigbert007 gmail com) (1 replies)
RE: Securing password between webserver & appserver. Sep 09 2009 06:14PM
Calderon, Juan Carlos (GE, Corporate, consultant) (juan calderon ge com)
RE: Securing password between webserver & appserver. Sep 08 2009 03:48AM
Ken Schaefer (Ken adOpenStatic com)
Is this an internal application? Kerberos can be used to solve this problem for internal apps.

Alternatively, can you use client certificate based authentication?

Cheers
Ken

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Chintan Oza
Sent: Monday, 7 September 2009 2:04 PM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Securing password between webserver & appserver.

Dear All,

We have a web application which perform user authentication on
id+password basis.

The architecture is like this.
Browser<-HTTPS->WebServer<-->AppServer

We have a requirement where password should not be available to the WebServer (even in hashed format).

Only solution that I can think of is having an Applet performing PKI encryption on the password before submitting the form.

Please suggest if there are any better alternatives.

Thanks,

Chintan

[ reply ]
Re: Securing password between webserver & appserver. Sep 07 2009 04:29PM
arvind doraiswamy (arvind doraiswamy gmail com) (1 replies)
Re: Securing password between webserver & appserver. Sep 08 2009 05:20AM
Chintan Oza (chintan oza gmail com) (1 replies)
Re: Securing password between webserver & appserver. Sep 08 2009 04:15PM
arvind doraiswamy (arvind doraiswamy gmail com)
RE: Securing password between webserver & appserver. Sep 07 2009 01:52PM
EXT-Adams, Randall E (Randall E Adams boeing com)
Re: Securing password between webserver & appserver. Sep 07 2009 08:58AM
Robert Hajime Lanning (robert lanning gmail com)
Re: Securing password between webserver & appserver. Sep 07 2009 07:40AM
Ali, Saqib (docbook xml gmail com) (1 replies)
Re: Securing password between webserver & appserver. Sep 07 2009 08:40AM
Chintan Oza (chintan oza gmail com) (1 replies)
Re: Securing password between webserver & appserver. Sep 07 2009 01:38PM
Ali, Saqib (docbook xml gmail com)
Re: Securing password between webserver & appserver. Sep 07 2009 06:29AM
Nikhil Wagholikar (visitnikhil gmail com)







 

Privacy Statement
Copyright 2009, SecurityFocus