Secure Global Desktop 4.31 Administration Guide > Users and authentication > Security considerations of using web server authentication
Using web server authentication (HTTP authentication) means that the browser has to cache the user's credentials and, in effect, the user's authentication to Secure Global Desktop. To minimize the risk of cached credentials being used by someone else, users:
Note We recommend you use a secure (HTTPS) web server to protect user's credentials.
The browser-based webtop uses Secure Global Desktop web services. The ITarantellaExternalAuth
web service is the web service that is used to set the identity of a user who has been authenticated by an external means, such as web server authentication. For security, the client (the webtop web application) and Secure Global Desktop server (the ITarantellaExternalAuth
web service) have a shared secret, which is the username and password of a trusted user. This is, in effect, another layer of web server authentication.
In a standard installation, the browser-based webtop is pre-configured with the credentials of a single trusted user. See Trusted users and third party authentication for details of how to change these credentials or to add a new trusted user.
For the classic webtop, once the web server has authenticated the user, it allows them access to the Secure Global Desktop program ttawlogin.cgi
and passes the name of the authenticated user (the web username) to this program. The ttawlogin.cgi
program:
When the Secure Global Desktop server receives the token, it validates it by:
This means the three main areas of risk when using web server authentication with the classic webtop concern:
To prevent a token from being intercepted and used while still valid, we recommend you secure the connections to the Secure Global Desktop server and to the Secure Global Desktop Web Server (HTTPS).
The secret key shared by the Secure Global Desktop server and the ttawlogin.cgi
program is generated every time the Secure Global Desktop starts. The secret key is only
accessible by someone with root permission on the Secure Global Desktop server. However, a new key is not generated for a warm restart (tarantella restart -warm
). This behavior can be changed by running the following command:
tarantella config edit --tarantella-config-login-webauth-refreshkeyonwarmrestart 1
The web server username is the name of the user that owns the web server processes. If you are using your own web server, the default user is often nobody
or apache
. If you are particularly concerned about security, we recommend that you do not use these defaults.
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.