I'm using Apache FOP and have no idea if it can be configured to handle user/passwords. It doesn't 'out of the box'. Maybe it can ...
Even if it could I'd have to send the user/pass using some other possibly insecure mechanism. For example, how does the ML *application* know the password ? I don't believe I have access to it from within the app, unless I'm doing application level authentication then I'd have to store it in a session variable or cookile (??). Currently I'm doing digest authentication so the app doesnt have access (that I know of) to the password used to login. I can simply hard code it in either the ML app or the tomcat app. But if I hard code it why bother with authentication in the first place. And then IT changes the password and the app breaks. There are certainly a lot of *possible* ways to solve this problem but many of them have huge security holes, or are very complicated. This is what I mean about the problem of sending around authentication information. Its not too hard to do *badly* but it's hard to do well. I'd love to have access to a simple secure pre-authenticated time-expiration-bound token I could send across process or machines over an open channel. -David From: [email protected] [mailto:[email protected]] On Behalf Of Justin Makeig Sent: Sunday, April 18, 2010 5:57 PM To: General Mark Logic Developer Discussion Subject: Re: [MarkLogic Dev General] RE: PassingauthenticationinformationinaURL David, Which FOP processor are you using on the Java side? Does it have specific configuration that would allow you to specify a user/password for HTTP authentication? Justin Justin Makeig Product Manager Mark Logic Corporation 999 Skyway Road Suite 200 San Carlos, CA 94070 +1 650 655 2387 Phone [email protected] www.marklogic.com <http://www.marklogic.com/> <http://www.marklogic.com/> <http://www.marklogic.com/> This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. On Apr 18, 2010, at 8:06 AM, Lee, David wrote: Why do you want to re-login? To utilize permissions on the images? Yes. The theory being I could then count on ML to do authentication for me instead of making it up myself. This is all somewhat pedantic because in this case I don't really need high security for the images, just was hoping for a general solution that could be reused 'next time' when I really want security. I propose to MarkLogic that implementing a security token mechanism in the system would be a good thing. Of course I realize it's a LOT harder to do right then to hack it. Once you open the whole can of worms about passing around pre-authenticated tokens its truely a tough security problem to solve perfectly so I can see why they haven't implemented it (yet). But on the other hand, since it is so hard to do right, it really is something that should be done by the system, not re-invented by every user, who wont do as good a job. -David ---------------------------------------- David A. Lee Senior Principal Software Engineer Epocrates, Inc. [email protected] 812-482-5224 _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
_______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
