The method below would be vulnerable to replay attacks, since anyone
seeing the encrypted credentials would just be able to append them to any URL
to get that EPerson's access. If you use it, have the remote app's HTTP
client use an encrypted (HTTPS) channel.
It might be easier to code it using HTTP Basic Authentication, where
the username and password are sent in an HTTP header in a very standard
manner. You'd still need an encrypted channel to prevent replay attacks.
On the DSpace end, though, you could accept the authentication by adding
a stackable authentication method (see AuthenticationMethod interface)
that picks out the username and password from the Basic Auth cookie and
authenticates them against an EPerson. There is code to do this
already in the LightweightNetworkInterface patch, see the wiki page for
pointers to that patch.
I'd also recommend looking at the Shibboleth patch someone posted
some months ago, this is exactly the sort of thing Shibboleth is good for.
(I haven't had a chance to check it out yet, alas.)
-- Larry
> Rahul Suryavanshi wrote:
> > I want to authenticate users to my dspace from a remote application, any
> > idea how i can do that.
>
> One way:
> 1) Rewrite the DSpace URl, appending encrypted authentication information.
> 2) Write a servlet filter that decrypts the authentication info, uses it
> to authenticate the user and writes the auth info into the DSpace auth
> session attribute. If this sits outside the other Dspace filters then
> its operation should be transparent to them.
>
> Best regards,
> jim
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> DSpace-tech mailing list
> DSpace-tech@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/dspace-tech
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
