Hi Naresh, The CMIS specification doesn't define how the user authentication should work but it makes two recommendations: - For the AtomPub binding: HTTP Basic Authentication - For the Web Services binding: WS-Security UsernameToken
Basically all repositories support those methods and they are used by default by OpenCMIS. Note, that in both cases usernames and passwords are sent in clear text. That is, on a production system you should ALWAYS use HTTPS! Some repositories also support more sophisticated and more secure authentication methods that don't require HTTPS. Please consult the repository vendor which additional methods are provided. OpenCMIS can support those as well with a little bit of custom code. Please see [1][2][3]. - Florian [1] http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider [2] http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html [3] Java class: org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider On 28/06/2011 21:39, Naresh Bhatia wrote: > When I create a CMIS session using SessionFactory.createSession(), how is > the password sent to the server - is it sent in clear text, hashed, does it > depend on the protocol (AtomPub vs. Web Service)? Just trying to figure out > how secure it is between OpenCMIS and the server. > > Thanks. > Naresh >
