[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mod_auth_kerb and Heimdal KDC
On Wed, Aug 21, 2002 at 08:20:30AM -0600, Tillman Hodgson wrote:
> > We are using an apache module available from
> > http://meta.cesnet.cz/software/heimdal/index.en.html
> Yes, that's the module that I'm using as well. Their patches for Mozilla
> and Apache look seriously interesting ... much better than the "dump the
> login page onto SSL" approach.
Just a remark to SSL:
The Microsoft draft (which the Mozilla+Apache patches are based on) specifies
only mechanims for authentication. Some another method (e.g. SSL) must be used
to ensure integrity control of transmitted HTTP messages. Otherwise, a
malicious user would be able to copy an Authorization header (comming from a
valid user) and past it to another message.