Web Confidential



Your Confidential Messenger. Communicate digitally with the same level of privacy and security as the spoken word. With encrypted, self-destructing, and screenshot-proof messages, Confide gives you the comfort of knowing that your private communication will now truly stay that way. Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

Web Confidential: the classic password manager

Confidential definition is - marked by intimacy or willingness to confide. How to use confidential in a sentence. Web Confidential gives you access to your passwords from within your browser and from the macOS Dock. When you need access to a user ID and password, a handy floating utility window shows all the information you might need about your password.

Tour | FAQ | Customer Support | Release Notes | Purchase

Confidential Web Browsing

Web Confidential
Version 5.3, Copyright © 2021
Compatible with macOS Big Sur, Catalina, Mojave and High Sierra
Universal application available

Where do you keep your confidential data? Like most people these days, you've probably got a growing number of user IDs, passwords, registration keys, PIN codes, serial numbers, and the like, stored in various places on your computer or scribbled on miscellaneous pieces of paper around your home or office. When you stop and think about it, you probably have more of these pesky bits of information scattered about than you realize.

Web Confidential uses an intuitive, easy-to-use cardfile metaphor which will enable even novice users to get up to speed in no time. Power users will find a large number of options to enable them to configure Web Confidential to meet their specific needs.
Web Confidential gives you access to your passwords from within your browser and from the macOS Dock. When you need access to a user ID and password, a handy floating utility window shows all the information you might need about your password.
Web Confidential supports AppleScript and can of course also import passwords from other password managers. Web Confidential also supports Touch ID.
Last but not least, Web Confidential permits you to encrypt your password files, protecting this sensitive information from prying eyes, using the state-of-the-art Blowfish algorithm. The Blowfish algorithm was first published in 1994, and has been proven extremely resilient to cracking. No known successful cryptanalysis against Blowfish exists.

Testimonials

'Web Confidential is easy to use, secure, and well-integrated' - Adam C. Engst, TidBITS.

'I find Web Confidential indispensable' - Dr. Eric D. Belsley, The Mac Resource Page.

And recommended in: 'Internet Security for Your Macintosh', page 40, © 2001 Peachpit Press.


Download
Download

Localized
English, Japanese, Spanish, German, French, Italian and Dutch

Product Requirements
macOS

Support
FAQ
Support
My License

See also
URL Manager Pro

Specifying Security Constraints

Confidential web surfing

A security constraint is used to define the accessprivileges to a collection of resources using their URL mapping. The followingelements can be part of a security constraint:

  • Web resource collection (web-resource-collection)

    A web resource collection is a list of URL patterns(the part of a URL after the host name and port whichyou want to constrain) and HTTP operations (the methods within the files thatmatch the URL pattern which you want to constrain (in this example, POST and GET)) that describe a set of resources tobe protected. Web resource collections are discussed in Specifying a Web Resource Collection.

  • Authorization constraint (auth-constraint)

    Authorization constraints establisha requirement for authentication and name the roles authorized to performthe constrained requests. For more information about authorization constraints,read Specifying an Authentication Mechanism.

  • User data constraint (TutorialUser-data-constraint)

    User data constraints establisha requirement that the constrained requests be received over a protected transportlayer connection. This guarantees how the data will be transported betweenclient and server. The strength of the required protection is defined by thevalue of the transport guarantee. A transport guarantee of INTEGRAL isused to establish a requirement for content integrity and a transport guaranteeof CONFIDENTIAL is used to establish a requirement forconfidentiality. The transport guarantee of NONE indicatesthat the container must accept the constrained requests when received on anyconnection including an unprotected one. User data constraints are discussedin Specifying a Secure Connection.

Specifying a Web Resource Collection

Confidential

A web resource collection consists of the following sub-elements:

  • web-resource-name is the name you use forthis resource. It's use is optional, but it is useful to describe the resourcesbeing protected as applications get more complex.

  • url-pattern is used to list the requestURI to be protected.

    Many applications feature unprotectedweb content, which any caller can access without authentication. In the webtier, you provide unrestricted access simply by not configuring a securityconstraint for that particular request URI. It is common to have some unprotectedresources and some protected resources. In this case, you will define securityconstraints and a login method, but they will not be used to control accessto the unprotected resources. Users won’t be asked to log in until thefirst time they enter a protected request URI.

    The Java Servlet specification defines the request URI as the part ofa URL after the host name and port. For example, let’ssay you have an e-commerce site with a browseable catalog that you would wantanyone to be able to access, and a shopping cart area for customers only.You could set up the paths for your web application so that the pattern /cart/* is protected but nothing else is protected. Assuming thatthe application is installed at context path /myapp, thefollowing are true:

    • http://localhost:8080/myapp/index.jsp is not protected.

    • http://localhost:8080/myapp/cart/index.jspis protected.

    A user will not be prompted to log in the first time that user accessesa resource in the cart/ subdirectory.

  • http-method or http-method-omission isused to specify which methods should be protected or which methods shouldbe omitted from protection. An HTTP method is protected by a web-resource-collection when no HTTP methods are named in the collection (which means allare protected), or the collection specifically names the HTTP method in acontained http-method element, or the collection containsone or more http-method-omission elements, none of whichnames the HTTP method.

Web Confidential

Specifying an Authorization Constraint

An authorization constraint (auth-constraint) containsthe role-name element. You can use as many role-name elementsas needed here.

An authorization constraint establishes a requirement for authenticationand names the roles authorized to access the URL patterns and HTTP methodsdeclared by this security constraint. If there is no authorization constraint,the container must accept the request without requiring user authentication.If there is an authorization constraint, but no roles are specified withinit, the container will not allow access to constrained requests under anycircumstances. The role name(s) specified here must either correspond tothe role name of one of the <security-role> elementsdefined for this web application, or be the specially reserved role name *, which is a compact syntax for indicating all roles in the webapplication. Role names are case sensitive. The roles defined for the applicationmust be mapped to users and groups defined on the server. For more informationabout security roles, read Working with Security Roles.

Specifying a Secure Connection

Confidential

A user data constraint (<TutorialUser-data-constraint> inthe deployment descriptor) contains the <transport-guarantee> element.A user data constraint can be used to require that a protected transport layerconnection such as HTTPS (HTTP over SSL) be used for all constrained URL patternsand HTTP methods specified in the security constraint. The choices for transportguarantee include CONFIDENTIAL, INTEGRAL,or NONE. If you specify CONFIDENTIAL or INTEGRAL as a security constraint, it generally means that the useof SSL is required, and that type of security constraint applies to all requeststhat match the URL patterns in the web resource collection and not just tothe login dialog box.

The strength of the required protection is defined by the value of thetransport guarantee. Specify CONFIDENTIAL when the applicationrequires that data be transmitted so as to prevent other entities from observingthe contents of the transmission. Specify INTEGRAL whenthe application requires that the data be sent between client and server insuch a way that it cannot be changed in transit. Specify NONE toindicate that the container must accept the constrained requests on any connection,including an unprotected one.

The user data constraint is handy to use in conjunction with basic andform-based user authentication. When the login authentication method is setto BASIC or FORM, passwords are notprotected, meaning that passwords sent between a client and a server on anunprotected session can be viewed and intercepted by third parties. Usinga user data constraint with the user authentication mechanism can alleviatethis concern. Configuring a user authentication mechanism is described in Specifying an Authentication Mechanism.

To guarantee that data is transported over a secure connection, ensurethat SSL support is configured for your server. If your server is the SunJava System Enterprise Server, SSL support is already configured. If you are usinganother server, consult the documentation for that server for informationon setting up SSL support. More information on configuring SSL support onthe Enterprise Server can be found in Establishing a Secure Connection Using SSL and in the Sun GlassFish Enterprise Server v3 Administration Guide.

Web Confidential Mac

Note – Web Confidential

Good Security Practice: If you are using sessions, after you switchto SSL you should never accept any further requests for that session thatare non-SSL. For example, a shopping site might not use SSL until the checkoutpage, and then it might switch to using SSL to accept your card number. Afterswitching to SSL, you should stop listening to non-SSL requests for this session.The reason for this practice is that the session ID itself was not encryptedon the earlier communications. This is not so bad when you’re only doingyour shopping, but after the credit card information is stored in the session,you don’t want a bad guy trying to fake the purchase transaction againstyour credit card. This practice could be easily implemented using a filter.

Specifying Separate Security Constraints for DifferentResources

You can create a separate security constraint for different resourceswithin your application. For example, you could allow users with the roleof PARTNER access to the GET and POST methods of all resources with the URL pattern /acme/wholesale/*, and allow users with the role of CLIENT accessto theGET and POST methods of all resourceswith the URL pattern /acme/retail/*. An example of a deploymentdescriptor that would demonstrate this functionality is the following:

Best Confidential Web Search Engine

When the same url-pattern and http-method occurin multiple security constraints, the constraints on the pattern and methodare defined by combining the individual constraints, which could result inunintentional denial of access. The Java Servlet 3.0 Specification (downloadablefrom http://jcp.org/en/jsr/detail?id=315)gives more detail and an example that illustrates the combination of constraintsand how the declarations will be interpreted.