ssl

If you are running SSL with JBoss, you'd notice that Tomcat always sends "Cache-Control: no-cache" http header which ask browsers not to cache any content. This is a big NO-NO for static content like images, Javascript, css which should be cached by browsers to improve page loading performance.

JBoss wiki has the detail of how to disable cache control.

Once you get that fix, you can use to JBoss's ReplyHeaderFilter to specify max-age header to tell browsers to cache your content.

Tags: ssl jboss, tomcat, ssl, max-age, cache-control

Slowly, more and more sites have supported login using OpenID.

The selling point of OpenID is that you can use one login to access varies sites. This is very convenient. But I am worried about losing the same passwords for all the OpenID supported sites I access. There are so many phishing activities going on to steal passwords. I need something that's not password-based.

I came across Certifi.ca which is a password-less OpenID provider using SSL certificate for public key-based authentication. The basic idea is that you store your public SSL certificate(public key) and the private key in your browser. Certifi.ca identifies you by your public key, and uses your public key to encrypt communication between your browser and itself. Your browser with the private key is the only one that can decrypt the communication. There's no password needed!

Tags: ssl certificate public key openid provider certifi.ca cacert.org