Yes, you only have to provide a HTTPS URL. Make sure that the server certificate is known by the client.
Florian On 28/06/2011 22:48, Naresh Bhatia wrote: > Thanks. And I assume OpenCMIS can work with https without any modifications, > i.e. all I need to do is to set SessionParameter.ATOMPUB_URL to an https URL > and I am ready to go. Correct? > > Thanks. > Naresh > > > On Tue, Jun 28, 2011 at 5:12 PM, Florian Müller< > [email protected]> wrote: > >> Hi Naresh, >> >> The CMIS specification doesn't define how the user authentication should >> work but it makes two recommendations: >> - For the AtomPub binding: HTTP Basic Authentication >> - For the Web Services binding: WS-Security UsernameToken >> >> Basically all repositories support those methods and they are used by >> default by OpenCMIS. >> Note, that in both cases usernames and passwords are sent in clear text. >> That is, on a production system you should ALWAYS use HTTPS! >> >> Some repositories also support more sophisticated and more secure >> authentication methods that don't require HTTPS. >> Please consult the repository vendor which additional methods are provided. >> >> OpenCMIS can support those as well with a little bit of custom code. Please >> see [1][2][3]. >> >> >> - Florian >> >> >> [1] >> http://chemistry.apache.org/java/developing/client/dev-client-bindings.html#OpenCMISClientBindings-CustomAuthenticationProvider >> [2] >> http://chemistry.apache.org/java/0.4.0/maven/apidocs/org/apache/chemistry/opencmis/commons/spi/AuthenticationProvider.html >> [3] Java class: >> org.apache.chemistry.opencmis.client.bindings.spi.StandardAuthenticationProvider >> >> >> On 28/06/2011 21:39, Naresh Bhatia wrote: >>> When I create a CMIS session using SessionFactory.createSession(), how is >>> the password sent to the server - is it sent in clear text, hashed, does >> it >>> depend on the protocol (AtomPub vs. Web Service)? Just trying to figure >> out >>> how secure it is between OpenCMIS and the server. >>> >>> Thanks. >>> Naresh >>> >> >> >
