Submit My Question - Recent Questions - Recent Answer
java >> Security >> Other Security APIs, Tools, and Issues

Authentification with Java, PHP, .htaccess

Hi there,

I am thinking about creating a Java project that requires some authentification routines.

Users (which are given a unique user ID) are employing a client software (Java) that retrieves specific data from a webserver (available ressources HTML, SSI, PHP, .htaccess).

A user should be able to use *any* client to get his data from the webserver, so unique client IDs are a non-option. Probably two users might even use two instances of the same client on the same machine (means, same IP).

I want this to be reasonably secure, so no plaintext protocol. I thought about something like a challenge - response architecture, BUT...

...how can I do this with only PHP (server) and Java (client) as options?

I dont need a polished, smooth, perfect solution - a rough idea will do. Are there any secret / public key architectures with ready-to-use PHP modules that are also implemented in Java? Or has anybody a completely different idea I haven t thought about yet?

[1018 byte] By [SolarOfBAUD] at [2008-2-6]
«« Authentification with Java, PHP, .htaccess
»» When leaves JRE 1.4 beta status?
# 1

Have you thought of setting up SSL on your web server and then using Java Secure Socket Extension (SSL) on you java client? That way you don't have to do any special security coding in you PHP pages, all of the SSL stuff will be handled by the web browser. You would just have to code your java client to be able to communicate with an SSL server via JSSE.

scottgprice at 2007-7-1 > top of java,Security,Other Security APIs, Tools, and Issues...
# 2
I meant to say that all of the SSL stuff on the server side will be handled by the web SERVER not BROWSER, sorry. :)
scottgprice at 2007-7-1 > top of java,Security,Other Security APIs, Tools, and Issues...
# 3

Nice idea, but sorry, no SSL...

(I would have to upgrade my web hosting for that - it would give me Perl, Python, SSL etc. but cost about twice as much. Thats why I d like to handle this by PHP alone.)

I already made a draft design of some authentification architecture, but Id still need an encryption supported by both Java and PHP. Any suggestions?

SolarOfBAUD at 2007-7-1 > top of java,Security,Other Security APIs, Tools, and Issues...
# 4

Have a look on RFC 2617 from IETF (www.ietf.org). This RFC specifies two mechanisms for authenticated access to HTTP resources. .htaccess is based on these mechanisms. Unfurtonately, they are not secure enough. The first protocol, BASIC, sends clear text username/password. The second, DIGEST, sends digests of the username/password using a challenge-response scheme. The disadvantage of DIGEST is that the username/password needs to be stored in clear on the server-side.

What you could do, which is something I am currently working on myself, is to implement your own protocol, based on this RFC. This is possible because you are in control of both the clients and the server. It wouldn't be possible if standard browsers where used as clients.

Good luck!

/Christer

Rozix at 2007-7-1 > top of java,Security,Other Security APIs, Tools, and Issues...
Security
Other Security APIs, Tools, and Issues

Security Hot Topic

Security

Site Classified