[DAS] HTTP Authentication Plug

[Steven Blanchard]

My apologies on taking so long to write this up.  Like Andy, I make no
specific mention of how DAS clients and servers would use the
authentication information.

HTTP Authentication has 4 different dialects.
1. Basic (clear-text, Base64 encoded)
2. Digest (Better security than clear-text)
3. NTLM (Windows Authentication)
4. Negotiate (for Kerberos and NTLM)

If we go with HTTP authentication, I would recommend that we only
require Basic and Digest authentication to be supported by DAS clients
and servers.

Pros of HTTP Authentication
- Almost all client libraries support basic and digest HTTP
  authentication
- HTTP Authentication is easy to integrate with existing password
  databases
- Easy to implement on the server side
- All authentication information is stored in the HTTP header
- Simple for DAS server administrators to setup and test without having
  to rely on a third party

Cons of HTTP Authentication 
- The implementations available in servlet containers, apache, etc will
  not work for DAS.  Servers will have to provide their own
  implementation
- The challenge/response design of HTTP authentication--sending a 401
  Authorization Required when accessing a secured URL--would leak
  sensitive information. (can be mitigated)
- Users would have to log in to each server supporting authentication
  separately
- Basic authentication transmits the user name and password in the clear
  for every request


Cheers,
~Steven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.open-bio.org/pipermail/das/attachments/20081028/cb7aa1ac/attachment.sig>