[deepamehta-devel] Developing Third Party Clients with Access Control Module (4.0.12-SNAPSHOT)
Jörg Richter
jri at deepamehta.de
Di Aug 28 16:06:43 CEST 2012
DM's security and access control concepts are still in flux.
What I wrote in the previous posting does NOT apply anymore:
> After discussing the topic with Danny who knows a lot about security we come along with these directives:
> - Login via REST API is to be dropped. Sending the password in a GET request is bad even if it is SHA256 encoded.
> - Instead we focus on HTTP Basic Authentication exclusively.
> - In the DM webclient: when clicking the "Login" link, the server redirects the browser to let it bring up its login dialog.
> - DM's embedded webserver (Jetty) runs HTTPS by default.
Instead, after further discussion with Danny, we decided to keep the dual approach that currently implemented:
1) Login via DM REST API. However, a POST request will replace the current GET request.
2) Login via HTTP Basic Authentication.
Out-of-the-box DM's webserver will run HTTP (and respond to local requests only).
HTTPS will be an option. The admin will have to create or import a server certificate and set some config properties.
So, Malte, you are actually free to choose between the 2 login approaches.
Sorry for the changes.
Cheers,
Jörg
Mehr Informationen über die Mailingliste devel