chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Naresh Bhatia <bhat...@comcast.net>
Subject Re: Password handling by OpenCMIS
Date Tue, 28 Jun 2011 21:48:30 GMT
Thanks. And I assume OpenCMIS can work with https without any modifications,
i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL
and I am ready to go. Correct?

Thanks.
Naresh


On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller <
florian.mueller@alfresco.com> wrote:

> Hi Naresh,
>
> The CMIS specification doesn't define how the user authentication should
> work but it makes two recommendations:
> - For the AtomPub binding: HTTP Basic Authentication
> - For the Web Services binding: WS-Security UsernameToken
>
> Basically all repositories support those methods and they are used by
> default by OpenCMIS.
> Note, that in both cases usernames and passwords are sent in clear text.
> That is, on a production system you should ALWAYS use HTTPS!
>
> Some repositories also support more sophisticated and more secure
> authentication methods that don't require HTTPS.
> Please consult the repository vendor which additional methods are provided.
>
> OpenCMIS can support those as well with a little bit of custom code. Please
> see [1][2][3].
>
>
> - Florian
>
>
> [1]
> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
> [2]
> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
> [3] Java class:
> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
>
>
> On 28/06/2011 21:39, Naresh Bhatia wrote:
> > When I create a CMIS session using SessionFactory.createSession(), how is
> > the password sent to the server - is it sent in clear text, hashed, does
> it
> > depend on the protocol (AtomPub vs. Web Service)? Just trying to figure
> out
> > how secure it is between OpenCMIS and the server.
> >
> > Thanks.
> > Naresh
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message