[wildfly-dev] Removing curl support from management HTTP
Jason Greene
jason.greene at redhat.com
Wed Jan 8 16:46:31 EST 2014
On Jan 8, 2014, at 2:54 PM, Jason Greene <jason.greene at redhat.com> wrote:
>
> On Jan 8, 2014, at 2:00 PM, Aleksandar Kostadinov <akostadi at redhat.com> wrote:
>
>> I'm not sure what other auth mechanism you are talking about. There
>> might be something new and very elaborated.
>
> Just a SHA based digest vs an MD5 one
https://datatracker.ietf.org/doc/draft-ietf-httpauth-digest/?include_text=1
It’s in draft state which is why no one has implemented it yet.
>
>>
>> But the problem with non-encrypted connections is that any hash could be
>> used without the need to recover the plain text password. With cookies,
>> one can sniff and use them.
>
> That’s not true. Digest is a challenge response protocol that uses a nonce as part of the sent hash. A packet sniffed hash can’t be replayed.
>
> --
> Jason T. Greene
> WildFly Lead / JBoss EAP Platform Architect
> JBoss, a division of Red Hat
>
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
More information about the wildfly-dev
mailing list