Hi Keith, DSpace REST requires SSL, because the client could send the auth-token to any request, and that is considered sensitive information. The auth-token allows the request to authorize the Dspace context as a certain DSpace eperson based on that token. So, if certain metadata fields, items, bitstreams, collections, communities are hidden, then an authorized person could access them. Also, the token enables that request to Create, Edit, Delete. Tokens are UUID's and are generated once a request successfully posts username/password to /login.
I don't think we document this, but, you could disable REST's requirement for SSL. Caveat emptor. https://github.com/DSpace/DSpace/blob/master/dspace-rest/src/main/webapp/WEB-INF/web.xml#L52 Change: <transport-guarantee>CONFIDENTIAL</transport-guarantee> To: <transport-guarantee>NONE</transport-guarantee> You don't even have to rebuild DSpace to do that. Just edit /dspace/webapps/rest/WEB-INF/web.xml and restart tomcat. I understand adding this bypass for a localhost development environment. But I would advise against doing this in a deployed / production instance. I assume the likelihood of someone snooping is very low, but someone posting their token in a coffee shop wifi over port 80 is not encrypted, and they could take authorize as you. Sites like facebook in the past would have been vulnerable to a firesheep-style problem with having unencrypted session/auth information. ________________ Peter Dietz Longsight www.longsight.com [email protected] p: 740-599-5005 x809 On Tue, Dec 8, 2015 at 11:16 AM, Keith Jones <[email protected]> wrote: > > We want to run REST and the documentation says it should run with SSL > enabled. > > What did you do to configure just REST running as SSL? > > Thanks > Keith > > On Tue, Dec 8, 2015 at 9:09 AM, helix84 <[email protected]> wrote: > >> On Tue, Dec 8, 2015 at 2:32 PM, Keith Jones <[email protected]> wrote: >> > I have another REST question? Really about SSL, has anyone set up their >> site >> > to run REST with SSL but do not run the repository with SSL? >> >> Yes, why? >> >> http://demo.dspace.org/xmlui/ >> https://demo.dspace.org/rest/ >> >> >> Regards, >> ~~helix84 >> >> Compulsory reading: DSpace Mailing List Etiquette >> https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette >> > > -- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/dspace-tech. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/dspace-tech. For more options, visit https://groups.google.com/d/optout.
