chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller <florian.muel...@alfresco.com>
Subject Re: Password handling by OpenCMIS
Date Tue, 28 Jun 2011 22:04:07 GMT
Yes, you only have to provide a HTTPS URL.
Make sure that the server certificate is known by the client.

Florian


On 28/06/2011 22:48, Naresh Bhatia wrote:
> Thanks. And I assume OpenCMIS can work with https without any modifications,
> i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL
> and I am ready to go. Correct?
> 
> Thanks.
> Naresh
> 
> 
> On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller<
> florian.mueller@alfresco.com>  wrote:
> 
>> Hi Naresh,
>>
>> The CMIS specification doesn't define how the user authentication should
>> work but it makes two recommendations:
>> - For the AtomPub binding: HTTP Basic Authentication
>> - For the Web Services binding: WS-Security UsernameToken
>>
>> Basically all repositories support those methods and they are used by
>> default by OpenCMIS.
>> Note, that in both cases usernames and passwords are sent in clear text.
>> That is, on a production system you should ALWAYS use HTTPS!
>>
>> Some repositories also support more sophisticated and more secure
>> authentication methods that don't require HTTPS.
>> Please consult the repository vendor which additional methods are provided.
>>
>> OpenCMIS can support those as well with a little bit of custom code. Please
>> see [1][2][3].
>>
>>
>> - Florian
>>
>>
>> [1]
>> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
>> [2]
>> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
>> [3] Java class:
>> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
>>
>>
>> On 28/06/2011 21:39, Naresh Bhatia wrote:
>>> When I create a CMIS session using SessionFactory.createSession(), how is
>>> the password sent to the server - is it sent in clear text, hashed, does
>> it
>>> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure
>> out
>>> how secure it is between OpenCMIS and the server.
>>>
>>> Thanks.
>>> Naresh
>>>
>>
>>
> 


Mime
View raw message