[deepamehta-devel] Developing Third Party Clients with Access Control Module (4.0.12-SNAPSHOT)

[Jörg Richter]

Here I like to provide you with an update on the security/access control/login topic.

In my recent mail I covered only one of the 2 login approaches DM currently provides:

1) DM's REST API (covered in the recent mail):
> 	GET /accesscontrol/login/{username}/{password}

2) Standard HTTP Basic Authentication.
When DM's request filter rejects a request (based on DM's security settings and user session) 401 Unauthorized is returned along with "WWW-Authenticate: Basic".

After discussing the topic with Danny who knows a lot about security we come along with these directives:
- Login via REST API is to be dropped. Sending the password in a GET request is bad even if it is SHA256 encoded.
- Instead we focus on HTTP Basic Authentication exclusively.
- In the DM webclient: when clicking the "Login" link, the server redirects the browser to let it bring up its login dialog.
- DM's embedded webserver (Jetty) runs HTTPS by default.

Malte, according to your original question this means: don't use the REST API approach I suggested in my recent mail. It will no longer work. Instead use HTTP Basic Authentication. This is already implemented in the "accesscontrol" branch.
Let me know if you need further help.

Cheers,
Jörg