Re: [dev] webdavandgvfslocking1 [was: Re: [dev] How to import external data with username/password?]

2008-04-07 Thread Stephan Bergmann

Mathias Bauer wrote:

Hi Stephan,

Stephan Bergmann wrote:


Jan Holesovsky wrote:

Hi Mathias,

On Wednesday 02 of April 2008, Mathias Bauer wrote:


Hi, I'm new to Calc, and fascinated by its power, but while using "Link
to External Data" to get realtime stock quote, the website asks me to log
in first, would you mind telling me how to type username/password when
importing external data? Thanks. - psist -

I assume that "external data" shall mean "http". In ftp you could use
the "user:[EMAIL PROTECTED]" syntax, not sure if this is possible for http.
Unfortunately not until the CWS webdavandgvfslocking1 which changes 
tools/source/fsys/urlobj.cxx to support the user and password for http as 
well.
HTTP URLs never allowed for a user:password part (see RFCs 1738, 2616), 
and probably for good reason:  'Some URL schemes use the format 
"user:password" in the userinfo field. This practice is NOT RECOMMENDED, 
because the passing of authentication information in clear text (such as 
URI) has proven to be a security risk in almost every case where it has 
been used.' [http://www.rfc-editor.org/rfc/rfc2396.txt]


Anyway, if you do change behavior of protocols or add new protocols at 
tools/source/fsys/urlobj.cxx, please remember to update the grammar 
documentation at the top of the file.


Should we take your mail as a suggestion not to add this feature to the UCB?


kendy, : 
 'As to the username & password, it is convenient in the WebDAV case to 
be able to provide the possibility, and the code in the WebDAV UCP had 
code for that (though a bit broken).  I agree that it is not good user 
behavior, but OTOH the users want it 
(https://bugzilla.novell.com/show_bug.cgi?id=363363), and other 
applications (in KDE and Gnome) support this as well, so...  But if you 
insist it should not be there, I can make it ooo-build only [though I'd 
rather up-stream it].'


sb, : 
'Nah, having it only downstream in ooo-build is probably not what 
anybody wants.  I do not *insist*, so if you *do* insist---go ahead.'



In this case the Calc team should get a bug report to make sure that
external data always is loaded with providing an interaction handler, so
that a password dialog can be shown when needed.


I still think that using user:pwd (esp. pwd) is a bad idea, so even if 
we do allow that aberration, I would not recommend making use of it. 
That would imply, yes, that any use case should be solvable without 
resorting to storing passwords in URLs.


-Stephan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [dev] webdavandgvfslocking1 [was: Re: [dev] How to import external data with username/password?]

2008-04-07 Thread Mathias Bauer
Hi Stephan,

Stephan Bergmann wrote:

> Jan Holesovsky wrote:
>> Hi Mathias,
>> 
>> On Wednesday 02 of April 2008, Mathias Bauer wrote:
>> 
 Hi, I'm new to Calc, and fascinated by its power, but while using "Link
 to External Data" to get realtime stock quote, the website asks me to log
 in first, would you mind telling me how to type username/password when
 importing external data? Thanks. - psist -
>>> I assume that "external data" shall mean "http". In ftp you could use
>>> the "user:[EMAIL PROTECTED]" syntax, not sure if this is possible for http.
>> 
>> Unfortunately not until the CWS webdavandgvfslocking1 which changes 
>> tools/source/fsys/urlobj.cxx to support the user and password for http as 
>> well.
> 
> HTTP URLs never allowed for a user:password part (see RFCs 1738, 2616), 
> and probably for good reason:  'Some URL schemes use the format 
> "user:password" in the userinfo field. This practice is NOT RECOMMENDED, 
> because the passing of authentication information in clear text (such as 
> URI) has proven to be a security risk in almost every case where it has 
> been used.' [http://www.rfc-editor.org/rfc/rfc2396.txt]
> 
> Anyway, if you do change behavior of protocols or add new protocols at 
> tools/source/fsys/urlobj.cxx, please remember to update the grammar 
> documentation at the top of the file.

Should we take your mail as a suggestion not to add this feature to the UCB?

In this case the Calc team should get a bug report to make sure that
external data always is loaded with providing an interaction handler, so
that a password dialog can be shown when needed.

Ciao,
Mathias

-- 
Mathias Bauer (mba) - Project Lead OpenOffice.org Writer
OpenOffice.org Engineering at Sun: http://blogs.sun.com/GullFOSS
Please don't reply to "[EMAIL PROTECTED]".
I use it for the OOo lists and only rarely read other mails sent to it.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



[dev] webdavandgvfslocking1 [was: Re: [dev] How to import external data with username/password?]

2008-04-03 Thread Stephan Bergmann

Jan Holesovsky wrote:

Hi Mathias,

On Wednesday 02 of April 2008, Mathias Bauer wrote:


Hi, I'm new to Calc, and fascinated by its power, but while using "Link
to External Data" to get realtime stock quote, the website asks me to log
in first, would you mind telling me how to type username/password when
importing external data? Thanks. - psist -

I assume that "external data" shall mean "http". In ftp you could use
the "user:[EMAIL PROTECTED]" syntax, not sure if this is possible for http.


Unfortunately not until the CWS webdavandgvfslocking1 which changes 
tools/source/fsys/urlobj.cxx to support the user and password for http as 
well.


HTTP URLs never allowed for a user:password part (see RFCs 1738, 2616), 
and probably for good reason:  'Some URL schemes use the format 
"user:password" in the userinfo field. This practice is NOT RECOMMENDED, 
because the passing of authentication information in clear text (such as 
URI) has proven to be a security risk in almost every case where it has 
been used.' [http://www.rfc-editor.org/rfc/rfc2396.txt]


Anyway, if you do change behavior of protocols or add new protocols at 
tools/source/fsys/urlobj.cxx, please remember to update the grammar 
documentation at the top of the file.


-Stephan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [dev] How to import external data with username/password?

2008-04-02 Thread Bernd Eilers

Jan Holesovsky wrote:

Hi Mathias,



Hi there!


On Wednesday 02 of April 2008, Mathias Bauer wrote:


Hi, I'm new to Calc, and fascinated by its power, but while using "Link
to External Data" to get realtime stock quote, the website asks me to log
in first, would you mind telling me how to type username/password when
importing external data? Thanks. - psist -

I assume that "external data" shall mean "http". In ftp you could use
the "user:[EMAIL PROTECTED]" syntax, not sure if this is possible for http.


Unfortunately not until the CWS webdavandgvfslocking1 which changes 
tools/source/fsys/urlobj.cxx to support the user and password for http as 
well.




I suppose this CWS is only going to solve HTTP Basic and HTTP Digest 
Authentication as per rfc2617. But what about the much more common case 
of sites which are using form-based Authentication and than set a cookie 
to indicate that the user has been logged in successfully or use a 
special redirect URL after a successful login? Is there already a 
solution for being able to use such sites with calc in the works as well?


To even extend this idea I could imagine a system where a sequence of 
urls must be executed with checking of results between each step before 
finally the URL which get´s you the data into calc can be executed. The 
external Data Link dialog could than let the user specify such sequence 
or even better two such sequences one that is to be executed just once 
and one that is to be executed before every update of the data. 
Placeholders in the URL which can be replaced by values of calc cells 
would be a nice idea there too. Doing so would solve the login problem 
as well as enable a bunch of other solutions such as being able to 
calculate with the result of a complex website query.


And just one related question: when connecting to http sites does the 
UCP for http+webdav maintain state at all at the momment? That is are 
cookies set by the server stored and send at the next request? If the 
answer to this is yes there might be a possible other solution which 
could already work now how to solve the login to 
form-based-authentication sites and other problems.



Regards,
Jan



Regards,
Bernd Eilers

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [dev] How to import external data with username/password?

2008-04-02 Thread Jan Holesovsky
Hi Mathias,

On Wednesday 02 of April 2008, Mathias Bauer wrote:

> > Hi, I'm new to Calc, and fascinated by its power, but while using "Link
> > to External Data" to get realtime stock quote, the website asks me to log
> > in first, would you mind telling me how to type username/password when
> > importing external data? Thanks. - psist -
>
> I assume that "external data" shall mean "http". In ftp you could use
> the "user:[EMAIL PROTECTED]" syntax, not sure if this is possible for http.

Unfortunately not until the CWS webdavandgvfslocking1 which changes 
tools/source/fsys/urlobj.cxx to support the user and password for http as 
well.

Regards,
Jan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: [dev] How to import external data with username/password?

2008-04-02 Thread Mathias Bauer
SHUE Jon wrote:

> Hi, I'm new to Calc, and fascinated by its power, but while using "Link to 
> External Data" to get realtime stock quote, the website asks me to log in 
> first, would you mind telling me how to type username/password when importing 
> external data? Thanks.
> - psist -
> 
> _
> 用部落格分享照片、影音、趣味小工具和最愛清單,盡情秀出你自己 — Windows Live Spaces
> http://spaces.live.com/

I assume that "external data" shall mean "http". In ftp you could use
the "user:[EMAIL PROTECTED]" syntax, not sure if this is possible for http.

Ciao,
Mathias

-- 
Mathias Bauer (mba) - Project Lead OpenOffice.org Writer
OpenOffice.org Engineering at Sun: http://blogs.sun.com/GullFOSS
Please don't reply to "[EMAIL PROTECTED]".
I use it for the OOo lists and only rarely read other mails sent to it.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]