chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller <florian.muel...@alfresco.com>
Subject Re: Password handling by OpenCMIS
Date Tue, 28 Jun 2011 21:12:21 GMT
Hi Naresh,

The CMIS specification doesn't define how the user authentication should work but it makes
two recommendations: 
- For the AtomPub binding: HTTP Basic Authentication 
- For the Web Services binding: WS-Security UsernameToken  

Basically all repositories support those methods and they are used by default by OpenCMIS.
Note, that in both cases usernames and passwords are sent in clear text. That is, on a production
system you should ALWAYS use HTTPS!

Some repositories also support more sophisticated and more secure authentication methods that
don't require HTTPS.
Please consult the repository vendor which additional methods are provided.

OpenCMIS can support those as well with a little bit of custom code. Please see [1][2][3].


- Florian


[1] http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
[2] http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
[3] Java class: org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider


On 28/06/2011 21:39, Naresh Bhatia wrote:
> When I create a CMIS session using SessionFactory.createSession(), how is
> the password sent to the server - is it sent in clear text, hashed, does it
> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure out
> how secure it is between OpenCMIS and the server.
> 
> Thanks.
> Naresh
> 


Mime
View raw message