Re: [Xsltforms-support] Basic authentication strategies

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

you can set headers in a submission with xsltforms, with something similar to:

                <xf:submission id="send_authorized_req" method="get" replace="instance" instance="---instance name ---" resource="---url---" mode="synchronous">
                    <xf:header>
                        <xf:name>Authorization</xf:name>
                        <xf:value>Basic: ----credential---</xf:value>
                    </xf:header>
                </xf:submission>

where ----credential--- is the user+password in base64 encoding (https://en.wikipedia.org/wiki/Basic_access_authentication).

I don't know if you can set headers in <xf:instance src="---url---"/> request (I haven't seen anything about it), but you can force a submission when page is finishing to load, so I think it could work for you something like this:

                    <xf:action ev:event="xforms-ready">
                        <xf:send submission="send_authorized_req"/>
                    </xf:action>

Best Regards,
Javier

El 4/10/23 a las 15:11, Richard Light escribió:

EXTERNAL EMAIL - Do not click any links or open any attachments unless you trust the sender and know the content is safe.

Our XForms application is pulling in various resources which are protected by Basic authentication. Given that XForms simply offers the src="XXX" syntax for accessing these external resources, what do people do/advise?

I can make it work by using the syntax:

http(s)://[username]:[password]@[requested URL]

(although my colleague gets a "401 (Unauthorised)" error for exactly the same URL), but this is surely a massive security hole, since the username and password are sitting there in full view in the XForms document.

Any thoughts or advice welcome!

Richard

--
________________________________
Richard Light
ric...@gm...<mailto:ric...@gm...>
@richardofsussex

_______________________________________________
Xsltforms-support mailing list
Xsl...@li...<mailto:Xsl...@li...>
https://lists.sourceforge.net/lists/listinfo/xsltforms-support