Thanks. And I assume OpenCMIS can work with https without any modifications, i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL and I am ready to go. Correct?
Thanks. Naresh On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller < [email protected]> wrote: > Hi Naresh, > > The CMIS specification doesn't define how the user authentication should > work but it makes two recommendations: > - For the AtomPub binding: HTTP Basic Authentication > - For the Web Services binding: WS-Security UsernameToken > > Basically all repositories support those methods and they are used by > default by OpenCMIS. > Note, that in both cases usernames and passwords are sent in clear text. > That is, on a production system you should ALWAYS use HTTPS! > > Some repositories also support more sophisticated and more secure > authentication methods that don't require HTTPS. > Please consult the repository vendor which additional methods are provided. > > OpenCMIS can support those as well with a little bit of custom code. Please > see [1][2][3]. > > > - Florian > > > [1] > http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider > [2] > http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html > [3] Java class: > org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider > > > On 28/06/2011 21:39, Naresh Bhatia wrote: > > When I create a CMIS session using SessionFactory.createSession(), how is > > the password sent to the server - is it sent in clear text, hashed, does > it > > depend on the protocol (AtomPub vs. Web Service)? Just trying to figure > out > > how secure it is between OpenCMIS and the server. > > > > Thanks. > > Naresh > > > >
