Menu
▾
▴
Re: [Betterform-users] betterform and passwords (HTTP basic authentication)
|
From: Ronald v. K. <rv...@in...> - 2010-09-10 09:52:07
|
Op 10-09-10 11:36, Joern Turner schreef:
> Ronald,
>
> please forgive me if i have to contradict some of your statements
Great ;-)
> See inline.
>
> On 9/10/10 9:51 AM, Ronald van Kuijk wrote:
>> Michael,
>>
>> See answers inline
>>
>> Op 10-09-10 06:11, C. M. Sperberg-McQueen schreef:
>>> This feels like a new-user question; my apologies if it's a
>>> FAQ, but all I've seen in the betterform documentation are
>>> the statements that
>>>
>>> Besides using GET you can use POST, PUT and DELETE ...
>>> (User Guide sec. 5.4)
>>>
>>> and
>>>
>>> If you have more fine-grained requirements you should use
>>> the XForms submission module which gives you all to
>>> interact with complex webservices, do authentication, handle
>>> exceptions or other events and give messages to the user.
>>>
>>> These make me think that what I'm trying to do ought to be
>>> possible.
>> No, not realy. What is meant by the lasts statement is that you should
>> write your own submission handler to do these kinds of 'advanced' things
> It IS possible to authenticate by using submission headers and we have
> done so in several cases. Here is a simple example which works with
> eXist database but should work in a similar way with a WebDAV resources:
>
> <xf:submission id="s-add"
> method="put"
> replace="none"
> ref="instance()">
> <xf:resource value="concat('/exist/rest/db/betterform
> /apps/timetracker/data/task/', instance('i-task')/task/created, '.xml')"/>
>
> <xf:header>
> <xf:name>username</xf:name>
> <xf:value>admin</xf:value>
> </xf:header>
> <xf:header>
> <xf:name>password</xf:name>
> <xf:value>betterform</xf:value>
> </xf:header>
> <xf:header>
> <xf:name>realm</xf:name>
> <xf:value>exist</xf:value>
> </xf:header>
>
> However this is specific for eXist. For HTTP the setting the header
> should be like this:
> <xf:header>
> <xf:name>authorization</xf:name>
> <xf:value value="concat('username',':','password')">
> </xf:header>
> where 'username' and 'password' are the concrete name and pass of the user.
>
>
Ok, I indeed did not know that. I would have expected something like
action="http://username:pasword@remote.host/....." to have worked was
well (like michael mentioned), where the username and password could be
replaced with AVT. Form authors should not need to know the low-level
http headers for authenticaiton etc. Would this be a nice addition?
> their submission resources?
>> No, we at least don't (see previous answer). Further more, it would
>> become even more difficult (almost impossible) if e.g. certificates are
>> to be used. But
> Sorry - i have to object again - a customer of ours has just implemented
> a submissionhandler that uses certificates. This will become of our
> product soon and be available to the community.
You are right if there is one server-side certificate, but then you do
not autenticate the 'real' client. Using certificates directly from the
client ON the server is *not* possible. That was the usecase I had in
mind. There is a nice solution though, but that requires some additional
infrastructure. See below
> As betterFORM copies all header information from the browser request to
> use it in its internal http module .......
The way this is implemented is indeed something that could be realy
handy and is often overlooked.
>>> I don't actually much like basic authentication; if I could make
>>> something better work, I'd gladly do so.
> Following option provide increasing security:
> - encrypt user and pass
> - use https
> - use certificates (ultimate)
Using something like SAML would make authentication certificates
possible. Just separate the autentication from using a site. You can
authenticate with whatever means you provide.
Ronald
|