cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-2873) Add authentication support (via HTTP basic authentication)
Date Sun, 04 Jul 2010 20:12:49 GMT

    [ https://issues.apache.org/jira/browse/CXF-2873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12885076#action_12885076
] 

Glen Mazza commented on CXF-2873:
---------------------------------

This is the method you're referring to Sergey that Tomasz should implement, correct?  http://en.wikipedia.org/wiki/Digest_access_authentication

I would guess *only* digest authentication should be allowed and not the basic auth (http://en.wikipedia.org/wiki/Basic_access_authentication)
because of the potential sensitivity of the SOAP request messages being viewed by the log
browser.

However, I don't see how supporting username/token as an additional method can provide additional
security, as you're just creating another door into the system with a potentially unsecure
(buggy) lock.  Username/Token also requires nonces and timestamp restraints (and the digest
based on the same[1]) that AFAIK aren't even handled with CXF's basic SOAP usernameToken/password
implementation.

[1] http://old.nabble.com/Re%3A-How-to-configure-client-for-UsernameToken-with-plaintext-password-and-Nonce-p28117173.html


> Add authentication support (via HTTP basic authentication)
> ----------------------------------------------------------
>
>                 Key: CXF-2873
>                 URL: https://issues.apache.org/jira/browse/CXF-2873
>             Project: CXF
>          Issue Type: Sub-task
>            Reporter: Tomasz Oponowicz
>


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message