[DAS2] authentication
Andrew Dalke
dalke at dalkescientific.com
Mon May 15 15:35:37 UTC 2006
We said we were going to talk about DAS authentication today.
The goal is to know who did a writeback edit. A secondary
goal is to allow/deny read access.
I think the solution is to use HTTP Basic authentication.
This puts the username and password in the request headers
and is easy to implement.
http://en.wikipedia.org/wiki/Basic_authentication_scheme
It's open to various attacks (sniffing the wire, replay attacks.)
The usual response, if this is a problem, is HTTP Digest
authentication.
I looked at HTTP digest authentication
http://www.ietf.org/rfc/rfc2617.txt
http://en.wikipedia.org/wiki/Digest_access_authentication
It's more complicated because it exchanges a nonce. That's
a sort of key from the server combined on the client with
the password and a counter to generate an MD5 checksum.
The checksum is sent to the server in future requests.
It's more complicated. I've never needed to support it
and I don't have experience with it. I only know that
web sites do widely support it, along with many libraries.
Another solution is basic authentication over HTTPS. I've
never had to support HTTPS either.
Yet another is to include the authentication information
in the payload
<USER>Andrew</USER>
<PASSWORD>12345</PASSWORD>
At best this will be equal to an existing HTTP authentication
scheme, with no existing library support, so I say no.
Andrew
dalke at dalkescientific.com
More information about the DAS2
mailing list