From: Ronald v. K. <rv...@in...> - 2010-09-10 09:52:07
|
Op 10-09-10 11:36, Joern Turner schreef: > Ronald, > > please forgive me if i have to contradict some of your statements Great ;-) > See inline. > > On 9/10/10 9:51 AM, Ronald van Kuijk wrote: >> Michael, >> >> See answers inline >> >> Op 10-09-10 06:11, C. M. Sperberg-McQueen schreef: >>> This feels like a new-user question; my apologies if it's a >>> FAQ, but all I've seen in the betterform documentation are >>> the statements that >>> >>> Besides using GET you can use POST, PUT and DELETE ... >>> (User Guide sec. 5.4) >>> >>> and >>> >>> If you have more fine-grained requirements you should use >>> the XForms submission module which gives you all to >>> interact with complex webservices, do authentication, handle >>> exceptions or other events and give messages to the user. >>> >>> These make me think that what I'm trying to do ought to be >>> possible. >> No, not realy. What is meant by the lasts statement is that you should >> write your own submission handler to do these kinds of 'advanced' things > It IS possible to authenticate by using submission headers and we have > done so in several cases. Here is a simple example which works with > eXist database but should work in a similar way with a WebDAV resources: > > <xf:submission id="s-add" > method="put" > replace="none" > ref="instance()"> > <xf:resource value="concat('/exist/rest/db/betterform > /apps/timetracker/data/task/', instance('i-task')/task/created, '.xml')"/> > > <xf:header> > <xf:name>username</xf:name> > <xf:value>admin</xf:value> > </xf:header> > <xf:header> > <xf:name>password</xf:name> > <xf:value>betterform</xf:value> > </xf:header> > <xf:header> > <xf:name>realm</xf:name> > <xf:value>exist</xf:value> > </xf:header> > > However this is specific for eXist. For HTTP the setting the header > should be like this: > <xf:header> > <xf:name>authorization</xf:name> > <xf:value value="concat('username',':','password')"> > </xf:header> > where 'username' and 'password' are the concrete name and pass of the user. > > Ok, I indeed did not know that. I would have expected something like action="http://username:pasword@remote.host/....." to have worked was well (like michael mentioned), where the username and password could be replaced with AVT. Form authors should not need to know the low-level http headers for authenticaiton etc. Would this be a nice addition? > their submission resources? >> No, we at least don't (see previous answer). Further more, it would >> become even more difficult (almost impossible) if e.g. certificates are >> to be used. But > Sorry - i have to object again - a customer of ours has just implemented > a submissionhandler that uses certificates. This will become of our > product soon and be available to the community. You are right if there is one server-side certificate, but then you do not autenticate the 'real' client. Using certificates directly from the client ON the server is *not* possible. That was the usecase I had in mind. There is a nice solution though, but that requires some additional infrastructure. See below > As betterFORM copies all header information from the browser request to > use it in its internal http module ....... The way this is implemented is indeed something that could be realy handy and is often overlooked. >>> I don't actually much like basic authentication; if I could make >>> something better work, I'd gladly do so. > Following option provide increasing security: > - encrypt user and pass > - use https > - use certificates (ultimate) Using something like SAML would make authentication certificates possible. Just separate the autentication from using a site. You can authenticate with whatever means you provide. Ronald |