[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: HTTP authentication support

Play the video
Subject: Re: HTTP authentication support
From: Abel Braaksma <abel.online@xxxxxxxxx>
Date: Tue, 04 Sep 2007 00:08:04 +0200
Re: HTTP authentication support
Robert Koberg wrote:
How are you suggesting these should work?
The simplest approach is merely to recognize URLs in the form https://user:pass@host/


That is secure for what? Classroom examples?

This is not about security, it is about authentication. They are related, but not the same. Basic Authentication (which could be what is expressed above) is not secure at all: the password is send in plain text over the internet and it doesn't really matter whether you type it or not. Digest authentication is a bit more secure, but still fairly easy to crack. SSL, of course, is the way to go when you want it secure because your data becomes virtually unreadable, but you usually combine it with some way of authentication, next to your certificate + encryption.

In almost all systems where some layer needs to access another layer (ORM needs access to RDBMS, Ant needs access to CVS etc) automatically, passwords are stored inside the code/pwd files/settings files, sometimes encrypted, sometimes not. The security then does not depend on this visible password on the system, but on the way this system is secured from the rest of the world.

So, to answer your question: it is as secure as any system that needs an (automatic) secured connection to another system (and obviously you don't need to store the password/username inside the XSLT).

Cheers,
-- Abel Braaksma


Alternatively, you can, of course, make it all interactive. If I use Eclipse (or is it Oxygen?) to run a stylesheet that tries to get data from a challenge/response type of connection, it is so kind to ask me for a password, even when I do it with XSLT. But then, this password is send unencrypted (unless it is SSL of course, but than still, anybody with access to my computer will be able to get the information through keyloggers).

Current Thread
<- PreviousIndexNext ->
Re: HTTP authentication suppo, Robert Koberg Thread Re: HTTP authentication suppo, Nic
Re: HTTP authentication suppo, Robert Koberg Date [XSL] Accessing part of the r, Alain
Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2007 All Rights Reserved.