[opencms-dev] Securing OpenCms workplace login
Jeremy Cavagnolo
jeremy at paradoxcomponents.com
Thu Feb 10 20:32:47 CET 2005
Thanks for the suggestion, Sebastian. I will try this later today.
Anyone out there have some comments/documentation about the
passwordhandler in opencms-system.xml?
-jeremy
On Thu, 2005-02-10 at 11:18, Sebastian Himberger wrote:
> Hi Jeremy
>
> you're right, multiple hosts for one ip are not possible because the
> handshake is happening before the virtual host ist resolved. although it
> is possible to build a https proxy with mod_proxy and mod_rewrite. I
> don't know if this helps in your particular case but i've attached an
> example how i achieved ssl for multiple virtual hosts.
>
> # SSL Proxy
> <VirtualHost *:443>
> DocumentRoot "/"
> ServerName ssl.server.de
> SSLCertificateFile conf/ssl/server.cert
> SSLCertificateKeyFile conf/ssl/server.key
> SSLEngine on
> RewriteEngine on
> RewriteCond (%{HTTP_HOST}) host\.de
> RewriteRule ^(.*) http://www.host.de$1 [P]
> RewriteCond (%{HTTP_HOST}) host2\.de
> RewriteRule ^(.*) http://www.host2.de$1 [P]
> </VirtualHost>
>
> I don't know if this works with cookies but perhaps it may help you a
> little bit.
>
> Good luck
> Sebastian
>
> Jeremy Cavagnolo wrote:
> > Thanks for the suggestions. It seems to me that I would have to modify
> > the OpenCms login module to add javascript MD5 encryption. However,
> > upon more digging, I found the following in opencms-system.xml:
> >
> > <passwordhandler
> > class="org.opencms.security.CmsDefaultPasswordHandler">
> > <encoding>UTF-8</encoding>
> > <digest-type>MD5</digest-type>
> > <param name="compatibility.convert.digestencoding">false</param>
> > </passwordhandler>
> >
> > Is there any documentation on the passwordhandler in
> > opencms-system.xml? Does this default configuration use javascript to
> > encrypt the password BEFORE sending it?
> >
> > Thanks,
> >
> > jeremy
> >
> >
> >
> > On Thu, 2005-02-10 at 09:42, Jorge González wrote:
> >
> >>Sorry if this doesn't work for you but...
> >>
> >>Why don't you send the password hash instead clear.
> >>You can use a simple javascript md5 hash and send the hash, not the password
> >>thru the wires.
> >>
> >>If you need all the info secured, this will not work, of course...
> >>
> >>
> >>
> >>_______________________________________________
> >>This mail is send to you from the opencms-dev mailing list
> >>To change your list options, or to unsubscribe from the list, please visit
> >>http://mail.opencms.org/mailman/listinfo/opencms-dev
> >
> >
> >
> >
> > _______________________________________________
> > This mail is send to you from the opencms-dev mailing list
> > To change your list options, or to unsubscribe from the list, please visit
> > http://mail.opencms.org/mailman/listinfo/opencms-dev
> >
>
>
>
> _______________________________________________
> This mail is send to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://mail.opencms.org/mailman/listinfo/opencms-dev
More information about the opencms-dev
mailing list