[geeklog-devel] Webservices API in CVS

[Blaine Lang]

Dirk Haun wrote:
 > Authentication is, of course, handled by the protocol the webservices 
uses. So Atompub in this case:

Right and thats fine for Atompub but I was hinting at a generic 
authentication service which would require (I'm suggesting)  a new field 
to hold a unique encrypted key which could be returned and used in 
subsequent webservices calls. Otherwise, it appears to me (and I have 
not looked at the code or the Atompub service) that others that want to 
write a secure service, they need to also implement authentication. 
Would it not be a good idea to offer a base authentication service. 
Webservice could still add/layer on their own like Atompub is doing.

Anyway, I am off the net for the next 8 days or so.....


> Blaine Lang wrote:

>

>   

>> Although, I think the full power of webservices would be seen if we did 

>> implement security and this is how it could be implemented:

>>

>> You send a "authenticate" verb (...)

>>     

>

> Authentication is, of course, handled by the protocol the webservices

> uses. So Atompub in this case:

>

>   

>> 14.  Securing the Atom Publishing Protocol

>>

>>   The Atom Publishing Protocol is based on HTTP.  Authentication

>>   requirements for HTTP are covered in Section 11 of [RFC2616].

>>     

> (...)

>   

>>   At a minimum, client and server

>>   implementations MUST be capable of being configured to use HTTP Basic

>>   Authentication [RFC2617] in conjunction with a connection made with

>>   TLS 1.0 [RFC2246] or a subsequent standards-track version of TLS

>>     

>

> (actually, I think it's currently only doing Basic Authentication,

> without TLS - but then again that's about as secure as a direct login)

>

> Once authenticated, it's like the user logged directly into the Geeklog site.

>

> bye, Dirk

>

>

>