Password handling by OpenCMIS

[Naresh Bhatia <bh...@comcast.net>]

When I create a CMIS session using SessionFactory.createSession(), how is
the password sent to the server - is it sent in clear text, hashed, does it
depend on the protocol (AtomPub vs. Web Service)? Just trying to figure out
how secure it is between OpenCMIS and the server.

Thanks.
Naresh

Re: Password handling by OpenCMIS

[Florian Müller <fl...@alfresco.com>]

Yes, you only have to provide a HTTPS URL.
Make sure that the server certificate is known by the client.

Florian


On 28/06/2011 22:48, Naresh Bhatia wrote:
> Thanks. And I assume OpenCMIS can work with https without any modifications,
> i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL
> and I am ready to go. Correct?
> 
> Thanks.
> Naresh
> 
> 
> On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller<
> florian.mueller@alfresco.com>  wrote:
> 
>> Hi Naresh,
>>
>> The CMIS specification doesn't define how the user authentication should
>> work but it makes two recommendations:
>> - For the AtomPub binding: HTTP Basic Authentication
>> - For the Web Services binding: WS-Security UsernameToken
>>
>> Basically all repositories support those methods and they are used by
>> default by OpenCMIS.
>> Note, that in both cases usernames and passwords are sent in clear text.
>> That is, on a production system you should ALWAYS use HTTPS!
>>
>> Some repositories also support more sophisticated and more secure
>> authentication methods that don't require HTTPS.
>> Please consult the repository vendor which additional methods are provided.
>>
>> OpenCMIS can support those as well with a little bit of custom code. Please
>> see [1][2][3].
>>
>>
>> - Florian
>>
>>
>> [1]
>> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
>> [2]
>> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
>> [3] Java class:
>> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
>>
>>
>> On 28/06/2011 21:39, Naresh Bhatia wrote:
>>> When I create a CMIS session using SessionFactory.createSession(), how is
>>> the password sent to the server - is it sent in clear text, hashed, does
>> it
>>> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure
>> out
>>> how secure it is between OpenCMIS and the server.
>>>
>>> Thanks.
>>> Naresh
>>>
>>
>>
> 

Re: Password handling by OpenCMIS

[Naresh Bhatia <bh...@comcast.net>]

Thanks. And I assume OpenCMIS can work with https without any modifications,
i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL
and I am ready to go. Correct?

Thanks.
Naresh


On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller <
florian.mueller@alfresco.com> wrote:

> Hi Naresh,
>
> The CMIS specification doesn't define how the user authentication should
> work but it makes two recommendations:
> - For the AtomPub binding: HTTP Basic Authentication
> - For the Web Services binding: WS-Security UsernameToken
>
> Basically all repositories support those methods and they are used by
> default by OpenCMIS.
> Note, that in both cases usernames and passwords are sent in clear text.
> That is, on a production system you should ALWAYS use HTTPS!
>
> Some repositories also support more sophisticated and more secure
> authentication methods that don't require HTTPS.
> Please consult the repository vendor which additional methods are provided.
>
> OpenCMIS can support those as well with a little bit of custom code. Please
> see [1][2][3].
>
>
> - Florian
>
>
> [1]
> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
> [2]
> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
> [3] Java class:
> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider
>
>
> On 28/06/2011 21:39, Naresh Bhatia wrote:
> > When I create a CMIS session using SessionFactory.createSession(), how is
> > the password sent to the server - is it sent in clear text, hashed, does
> it
> > depend on the protocol (AtomPub vs. Web Service)? Just trying to figure
> out
> > how secure it is between OpenCMIS and the server.
> >
> > Thanks.
> > Naresh
> >
>
>

Re: Password handling by OpenCMIS

[Florian Müller <fl...@alfresco.com>]

Hi Naresh,

The CMIS specification doesn't define how the user authentication should work but it makes two recommendations: 
- For the AtomPub binding: HTTP Basic Authentication 
- For the Web Services binding: WS-Security UsernameToken  

Basically all repositories support those methods and they are used by default by OpenCMIS.
Note, that in both cases usernames and passwords are sent in clear text. That is, on a production system you should ALWAYS use HTTPS!

Some repositories also support more sophisticated and more secure authentication methods that don't require HTTPS.
Please consult the repository vendor which additional methods are provided.

OpenCMIS can support those as well with a little bit of custom code. Please see [1][2][3].


- Florian


[1] http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider
[2] http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html
[3] Java class: org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider


On 28/06/2011 21:39, Naresh Bhatia wrote:
> When I create a CMIS session using SessionFactory.createSession(), how is
> the password sent to the server - is it sent in clear text, hashed, does it
> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure out
> how secure it is between OpenCMIS and the server.
> 
> Thanks.
> Naresh
>