My apologies on taking so long to write this up. Like Andy, I make no specific mention of how DAS clients and servers would use the authentication information.
HTTP Authentication has 4 different dialects. 1. Basic (clear-text, Base64 encoded) 2. Digest (Better security than clear-text) 3. NTLM (Windows Authentication) 4. Negotiate (for Kerberos and NTLM) If we go with HTTP authentication, I would recommend that we only require Basic and Digest authentication to be supported by DAS clients and servers. Pros of HTTP Authentication - Almost all client libraries support basic and digest HTTP authentication - HTTP Authentication is easy to integrate with existing password databases - Easy to implement on the server side - All authentication information is stored in the HTTP header - Simple for DAS server administrators to setup and test without having to rely on a third party Cons of HTTP Authentication - The implementations available in servlet containers, apache, etc will not work for DAS. Servers will have to provide their own implementation - The challenge/response design of HTTP authentication--sending a 401 Authorization Required when accessing a secured URL--would leak sensitive information. (can be mitigated) - Users would have to log in to each server supporting authentication separately - Basic authentication transmits the user name and password in the clear for every request Cheers, ~Steven
pgpyQb7wulZEN.pgp
Description: PGP signature
_______________________________________________ DAS mailing list [email protected] http://lists.open-bio.org/mailman/listinfo/das
