[OTDev] Update Auth&Auth
Luchesar V. ILIEV luchesar.iliev at gmail.comTue Mar 23 15:18:07 CET 2010
- Previous message: [OTDev] Update Auth&Auth
- Next message: [OTDev] Update Auth&Auth
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To be honest, I'm a bit worried about the power of these tokens. Sure, this gives them great flexibility and makes using them really easy. But consider this: each service that is presented with such token (in order to authorise the specific action requested) will, essentially, have (read-only) access to all the user's data/attributes, _including_ their password. Yes, it's just the hash of the password, but this already creates a possibility for at least a brute-force attack on it, not to mention the inherent flaws in some implementations -- even the venerable SHA1 algorithm is considered unsafe today, and MD5 (which is still used surprisingly widely) could only bring a smile on the face of a determined and well-equipped hacker. For this reason, I'd like to stress once more how very important it is to keep the user tokens safe from prying eyes -- or from being unintentionally leaked. This holds true not just for the network transit, where SSL/TLS will obviously be a must, but also for the services themselves in how the handle the tokens. Cheers, Luchesar On Tue, Mar 23, 2010 at 16:03, Nina Jeliazkova <nina at acad.bg> wrote: > > > Andreas Maunz wrote: >> Hi Pantelis, >> >> yes, it is possible. >> >> Here you can find a condensed list of OpenSSO Services as of 10/2009: >> http://blogs.sun.com/docteger/entry/opensso_and_rest >> (also given in the document I sent around). >> >> And this is the specific link to "Display Identity Data": >> http://blogs.sun.com/docteger/entry/opensso_and_rest#attributes >> >> Best regards >> Andreas >> > > Just my two cents: > > There should be additional information as well (not only user names, but > the domain - e.g. the OpenSSO service URI). > > Regards, > Nina >> chung wrote on 03/23/2010 02:44 PM: >> >>> Hi Andreas, >>> There is something that is not yet very clear to me and I think it >>> would be of interest for other developers as well. A user logs in and >>> gets a token which uses to be identified by the various services in >>> OpenTox. Suppose that a user provides its token to a model creation >>> service. The created model should have a reference to the user that >>> created it (something like ot:createdBy={userName}) which means that >>> services need to know the username behind the token . Will it be >>> possible to retrieve the username corresponding to a given token? >>> >>> Best regards, >>> Pantelis >>> >>> On Fri, 2010-03-19 at 14:43 +0100, Andreas Maunz wrote: >>> >>>> Dear All, >>>> >>>> please find attached an updated version of the authentication and >>>> authorization approach based on OpenSSO. >>>> >>>> Micha is currently working on migrating OpenTox website users and groups >>>> into a standalone OpenDS server (LDAP), which is intended to serve as >>>> the common backend for both Plone and OpenSSO. This way, we can >>>> hopefully use all existing PLONE group configurations for access >>>> policies in OpenSSO live! >>>> >>>> Things look quite promising up to now. A drawback is currently the lack >>>> of a REST interface for mamnaging policies. Here is an overview over the >>>> REST interface implemented in OpenSSO as of 10/2009: >>>> http://blogs.sun.com/docteger/entry/opensso_and_rest >>>> >>>> Best regards >>>> Andreas >>>> _______________________________________________ >>>> Development mailing list >>>> Development at opentox.org >>>> http://www.opentox.org/mailman/listinfo/development >>>> >>> >> >> > > _______________________________________________ > Development mailing list > Development at opentox.org > http://www.opentox.org/mailman/listinfo/development >
- Previous message: [OTDev] Update Auth&Auth
- Next message: [OTDev] Update Auth&Auth
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list