Return-Path: X-Original-To: apmail-chemistry-dev-archive@www.apache.org Delivered-To: apmail-chemistry-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B69576C1C for ; Tue, 28 Jun 2011 21:49:09 +0000 (UTC) Received: (qmail 28313 invoked by uid 500); 28 Jun 2011 21:49:09 -0000 Delivered-To: apmail-chemistry-dev-archive@chemistry.apache.org Received: (qmail 28279 invoked by uid 500); 28 Jun 2011 21:49:09 -0000 Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@chemistry.apache.org Delivered-To: mailing list dev@chemistry.apache.org Received: (qmail 28269 invoked by uid 99); 28 Jun 2011 21:49:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jun 2011 21:49:08 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bhatian@comcast.net designates 76.96.62.96 as permitted sender) Received: from [76.96.62.96] (HELO qmta09.westchester.pa.mail.comcast.net) (76.96.62.96) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Jun 2011 21:49:02 +0000 Received: from omta23.westchester.pa.mail.comcast.net ([76.96.62.74]) by qmta09.westchester.pa.mail.comcast.net with comcast id 1Zjh1h0051c6gX859Zoi6S; Tue, 28 Jun 2011 21:48:42 +0000 Received: from mail-wy0-f170.google.com ([74.125.82.170]) by omta23.westchester.pa.mail.comcast.net with comcast id 1Zoc1h01A3gVK5m3jZodLZ; Tue, 28 Jun 2011 21:48:40 +0000 Received: by wyf22 with SMTP id 22so897657wyf.1 for ; Tue, 28 Jun 2011 14:48:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.55.66 with SMTP id t2mr22747wbg.109.1309297710895; Tue, 28 Jun 2011 14:48:30 -0700 (PDT) Received: by 10.227.143.16 with HTTP; Tue, 28 Jun 2011 14:48:30 -0700 (PDT) In-Reply-To: <4E0A43B5.7030707@alfresco.com> References: <4E0A43B5.7030707@alfresco.com> Date: Tue, 28 Jun 2011 17:48:30 -0400 Message-ID: Subject: Re: Password handling by OpenCMIS From: Naresh Bhatia To: dev@chemistry.apache.org Content-Type: multipart/alternative; boundary=20cf3002587af6912c04a6cca0eb --20cf3002587af6912c04a6cca0eb Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks. And I assume OpenCMIS can work with https without any modifications= , i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https UR= L and I am ready to go. Correct? Thanks. Naresh On Tue, Jun 28, 2011 at 5:12 PM, Florian M=FCller < florian.mueller@alfresco.com> wrote: > Hi Naresh, > > The CMIS specification doesn't define how the user authentication should > work but it makes two recommendations: > - For the AtomPub binding: HTTP Basic Authentication > - For the Web Services binding: WS-Security UsernameToken > > Basically all repositories support those methods and they are used by > default by OpenCMIS. > Note, that in both cases usernames and passwords are sent in clear text. > That is, on a production system you should ALWAYS use HTTPS! > > Some repositories also support more sophisticated and more secure > authentication methods that don't require HTTPS. > Please consult the repository vendor which additional methods are provide= d. > > OpenCMIS can support those as well with a little bit of custom code. Plea= se > see [1][2][3]. > > > - Florian > > > [1] > http://chemistry.apache.org/java/developing/client/dev-client-bindings.ht= ml#OpenCMISClientBindings-CustomAuthenticationProvider > [2] > http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry= /opencmis/commons/spi/AuthenticationProvider.html > [3] Java class: > org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationP= rovider > > > On 28/06/2011 21:39, Naresh Bhatia wrote: > > When I create a CMIS session using SessionFactory.createSession(), how = is > > the password sent to the server - is it sent in clear text, hashed, doe= s > it > > depend on the protocol (AtomPub vs. Web Service)? Just trying to figure > out > > how secure it is between OpenCMIS and the server. > > > > Thanks. > > Naresh > > > > --20cf3002587af6912c04a6cca0eb--