You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by Naresh Bhatia <bh...@comcast.net> on 2011/06/28 22:39:43 UTC
Password handling by OpenCMIS
When I create a CMIS session using SessionFactory.createSession(), how is
the password sent to the server - is it sent in clear text, hashed, does it
depend on the protocol (AtomPub vs. Web Service)? Just trying to figure out
how secure it is between OpenCMIS and the server.
Thanks.
Naresh
Re: Password handling by OpenCMIS
Posted by Florian Müller <fl...@alfresco.com>.
Yes, you only have to provide a HTTPS URL.
Make sure that the server certificate is known by the client.
Florian
On 28/06/2011 22:48, Naresh Bhatia wrote:
> Thanks. And I assume OpenCMIS can work with https without any modifications,
> i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL
> and I am ready to go. Correct?
>
> Thanks.
> Naresh
>
>
> On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller<
> florian.mueller@alfresco.com> wrote:
>
>> Hi Naresh,
>>
>> The CMIS specification doesn't define how the user authentication should
>> work but it makes two recommendations:
>> - For the AtomPub binding: HTTP Basic Authentication
>> - For the Web Services binding: WS-Security UsernameToken
>>
>> Basically all repositories support those methods and they are used by
>> default by OpenCMIS.
>> Note, that in both cases usernames and passwords are sent in clear text.
>> That is, on a production system you should ALWAYS use HTTPS!
>>
>> Some repositories also support more sophisticated and more secure
>> authentication methods that don't require HTTPS.
>> Please consult the repository vendor which additional methods are provided.
>>
>> OpenCMIS can support those as well with a little bit of custom code. Please
>> see [1][2][3].
>>
>>
>> - Florian
>>
>>
>> [1]
>> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
>> [2]
>> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
>> [3] Java class:
>> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
>>
>>
>> On 28/06/2011 21:39, Naresh Bhatia wrote:
>>> When I create a CMIS session using SessionFactory.createSession(), how is
>>> the password sent to the server - is it sent in clear text, hashed, does
>> it
>>> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure
>> out
>>> how secure it is between OpenCMIS and the server.
>>>
>>> Thanks.
>>> Naresh
>>>
>>
>>
>
Re: Password handling by OpenCMIS
Posted by Naresh Bhatia <bh...@comcast.net>.
Thanks. And I assume OpenCMIS can work with https without any modifications,
i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL
and I am ready to go. Correct?
Thanks.
Naresh
On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller <
florian.mueller@alfresco.com> wrote:
> Hi Naresh,
>
> The CMIS specification doesn't define how the user authentication should
> work but it makes two recommendations:
> - For the AtomPub binding: HTTP Basic Authentication
> - For the Web Services binding: WS-Security UsernameToken
>
> Basically all repositories support those methods and they are used by
> default by OpenCMIS.
> Note, that in both cases usernames and passwords are sent in clear text.
> That is, on a production system you should ALWAYS use HTTPS!
>
> Some repositories also support more sophisticated and more secure
> authentication methods that don't require HTTPS.
> Please consult the repository vendor which additional methods are provided.
>
> OpenCMIS can support those as well with a little bit of custom code. Please
> see [1][2][3].
>
>
> - Florian
>
>
> [1]
> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
> [2]
> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
> [3] Java class:
> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
>
>
> On 28/06/2011 21:39, Naresh Bhatia wrote:
> > When I create a CMIS session using SessionFactory.createSession(), how is
> > the password sent to the server - is it sent in clear text, hashed, does
> it
> > depend on the protocol (AtomPub vs. Web Service)? Just trying to figure
> out
> > how secure it is between OpenCMIS and the server.
> >
> > Thanks.
> > Naresh
> >
>
>
Re: Password handling by OpenCMIS
Posted by Florian Müller <fl...@alfresco.com>.
Hi Naresh,
The CMIS specification doesn't define how the user authentication should work but it makes two recommendations:
- For the AtomPub binding: HTTP Basic Authentication
- For the Web Services binding: WS-Security UsernameToken
Basically all repositories support those methods and they are used by default by OpenCMIS.
Note, that in both cases usernames and passwords are sent in clear text. That is, on a production system you should ALWAYS use HTTPS!
Some repositories also support more sophisticated and more secure authentication methods that don't require HTTPS.
Please consult the repository vendor which additional methods are provided.
OpenCMIS can support those as well with a little bit of custom code. Please see [1][2][3].
- Florian
[1] http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
[2] http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
[3] Java class: org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
On 28/06/2011 21:39, Naresh Bhatia wrote:
> When I create a CMIS session using SessionFactory.createSession(), how is
> the password sent to the server - is it sent in clear text, hashed, does it
> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure out
> how secure it is between OpenCMIS and the server.
>
> Thanks.
> Naresh
>