Hi, Some own experiences about small troubles because of how OJ is handling username:password
- When giving a presentation for audience on-screen or for someone in your work room: URL-box shows username:password - Credentials must be painted over from screen captures - Workbench-state.xml stores URLs with credentials as plain text into AddWMSQueryPlugin.CACHED_URL - Project file (.jmp) does the same I am not an expert, but I suppose that a slightly better way to use Basic auth would be to make OpenJUMP to write the http header "Authorizarion" Authorization: Basic aHR0cHdhdGNoOmY= http://www.httpwatch.com/httpgallery/authentication/ The base64 encoded string could be saved into workbench-state.xml and into OJ project file even it is by no means safe if someone has an access to the computer. Still it is hard to remember if only seen from the screen. User should still have a possibility to store the credentials so that they are not prompted every time when adding a secured server to project. The same authorization should be used for GetCapabilities and GetMaps and for GetFeatureInfo, if we some day will have a support for that also. Other software has same kind of problems and if one knows what to do username:password can be found for example from an open QGIS session. If not otherwise then by unplugging the network cable it is often possible to generate a revealing error message. It is better to remember that they are called personal computers for a reason. -Jukka- ________________________________________ edgar.soldin wrote: On 15.12.2014 22:45, Rahkonen Jukka (Tike) wrote: > 1) OpenJUMP does not support very well authentication. All it can do is to > add user:password before the base URL as > https://user:password@base_url.<https://user:password@base_url./> we could obfuscate that behind an authentication prompt UI. not sure it is worth the effort, as the user editing should be the user needing the data and hence knowing the credentials to that wms server anyway. you might sway my opinion here. >This is not the same URL that is advertised for GetMap because GetCapabilities >document hopefully does not show the user name and password as plain text already fixed that locally, it reuses the credentials of the GetCap request if the advertised GetMap url does not contain any, just for the weird case they deliver creds. the credentials are still shown in the text field though. additionally working on adding a possibility to modify wms url in WMSQueryEditor later. > > 2) The user:password in OpenJUMP is really tested only with https. Basic > authentication withour https does not make much sense because credentials are > too easy to capture from unsecured traffic. However, the server that Andrei > is using does exactly use basic auth over plain http. right. http auth without encrypted transport layer is negligently insecure. still, if the server is configured without SSL, who are we to judge and prohibit access via plain HTTP. ..ede ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Jump-pilot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Jump-pilot-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel
