Hi Ede,

I did not follow the whole discussion, but noticed a recent regression.
version r4108 is the last version on my computer where I can get a 
stream from the following URL
https://user:[email protected]/u4wajnl1z3xw1jfr54xjoi4o/geoportail/r/wms?service=wms

in 1.8.0 and more recent versions, I cannot get the same stream anymore.
The UI has slightly changed, but I tried to write the URL + credential 
every way
I could imagine without success
Any idea what could have break ?
I can send the credential privately if it helps

Michaƫl

PS : my work does not let me the time to contribute much these times,
but I'm still using it a lot ;-)


> hmm,
>
> as you already stated. the base64 encoded string is essentially the 
> authorization. so having that, you do not need no user/password anymore.
>
> also, in case we are going to support different auth schemes for http, we 
> would have a problem if we fixed the saved auth to be base64 encoded.
> currently we simply assume that the server supports
>   http://en.wikipedia.org/wiki/Basic_access_authentication
> and send it. this looks error prone, as there are other possible auth 
> schemes. maybe they are not used widely for wms servers. not sure. Jukka, do 
> you know?
>
> ok, i'd be willing to rework the UI to support user/pass textfields (pass 
> obfuscated), but internally the auth stays plain text and will be saved as 
> such into the state and project files.
> any try to obfuscate something into these files will be pointless as we are 
> an _open_ source project. and decompiling java is also script kid level these 
> days.
>
> at a later stage we might think about not saving passphrases (enabled via 
> checkbox), but ask for them and cache them for each server session-wise. but 
> that's just spitballing.
>
> ..ede
>
> On 16.12.2014 12:36, Rahkonen Jukka (Tike) wrote:
>> Hi,
>>
>> Some own experiences about small troubles because of how OJ is handling 
>> username:password
>>
>> - When giving a presentation for audience on-screen or for someone in your 
>> work room: URL-box shows username:password
>> - Credentials must be painted over from screen captures
>> - Workbench-state.xml stores URLs with credentials as plain text into 
>> AddWMSQueryPlugin.CACHED_URL
>> - Project file (.jmp) does the same
>>
>> I am not an expert, but I suppose that a slightly better way to use Basic 
>> auth would be to make OpenJUMP to write the http header "Authorizarion"
>> Authorization: Basic aHR0cHdhdGNoOmY=
>> http://www.httpwatch.com/httpgallery/authentication/
>>
>> The base64 encoded string could be saved into workbench-state.xml and into 
>> OJ project file even it is by no means safe if someone has an access to the 
>> computer. Still it is hard to remember if only seen from the screen.
>>
>> User should still have a possibility to store the credentials so that they 
>> are not prompted every time when adding a secured server to project. The 
>> same authorization should be used for GetCapabilities and GetMaps and for 
>> GetFeatureInfo, if we some day will have a support for that also.
>>
>> Other software has same kind of problems and if one knows what to do 
>> username:password can be found for example from an open QGIS session. If not 
>> otherwise then by unplugging the network cable it is often possible to 
>> generate a revealing error message. It is better to remember that they are 
>> called personal computers for a reason.
>>
>> -Jukka-
>>
>> ________________________________________
>> edgar.soldin wrote:
>>
>> On 15.12.2014 22:45, Rahkonen Jukka (Tike) wrote:
>>> 1) OpenJUMP does not support very well authentication. All it can do is to 
>>> add user:password before the base URL as 
>>> https://user:password@base_url.<https://user:password@base_url./>
>> we could obfuscate that behind an authentication prompt UI. not sure it is 
>> worth the effort, as the user editing should be the user needing the data 
>> and hence knowing the credentials to that wms server anyway. you might sway 
>> my opinion here.
>>
>>> This is not the same URL that is advertised for GetMap because 
>>> GetCapabilities document hopefully does not show the user name and password 
>>> as plain text
>> already fixed that locally, it reuses the credentials of the GetCap request 
>> if the advertised GetMap url does not contain any, just for the weird case 
>> they deliver creds.
>> the credentials are still shown in the text field though.
>>
>> additionally working on adding a possibility to modify wms url in 
>> WMSQueryEditor later.
>>
>>> 2) The user:password in OpenJUMP is really tested only with https. Basic 
>>> authentication withour https does not make much sense because credentials 
>>> are too easy to capture from unsecured traffic. However, the server that 
>>> Andrei is using does exactly use basic auth over plain http.
>> right. http auth without encrypted transport layer is negligently insecure. 
>> still, if the server is configured without SSL, who are we to judge and 
>> prohibit access via plain HTTP.
>>
>> ..ede
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Jump-pilot-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Jump-pilot-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel
>>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Jump-pilot-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel
>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Jump-pilot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jump-pilot-devel

Reply via email to