Orbeon Forms community mailing list

Looking for an authentication approach

classic Classic list List threaded Threaded
3 messages Options
Colin Berry
Reply | Threaded
Open this post in threaded view
|

Looking for an authentication approach

Colin Berry
I know that this is a more generic question, but since all my secure web apps are orbeon based I am most interested in your suggestions. My app will only need to be remotely accessible to a small number (say ten) of hand picked users. All of whom now access the server via ssh or putty using key based authentication.  Local use of ssh  would also be helpful as it would prevent multiple password entries, but not really essential for security as it all takes place under my direct physical control.

My fantasy is that some one out there knows a key based analog to the standard java-authentication example. Providing a username and using xf:upload to locate the key seems simple enough, but wouldn't that post the private key across the net to the server?

Any ideas or links to ideas would be much appreciated.
Erik Bruchez
Reply | Threaded
Open this post in threaded view
|

Re: Looking for an authentication approach

Erik Bruchez
Administrator
Colin,

So really you are looking for something different from regular
username/password authentication, or did I get that wrong?

-Erik

On Tue, Jul 28, 2009 at 7:40 AM, Colin Berry<[hidden email]> wrote:

>
> I know that this is a more generic question, but since all my secure web apps
> are orbeon based I am most interested in your suggestions. My app will only
> need to be remotely accessible to a small number (say ten) of hand picked
> users. All of whom now access the server via ssh or putty using key based
> authentication.  Local use of ssh  would also be helpful as it would prevent
> multiple password entries, but not really essential for security as it all
> takes place under my direct physical control.
>
> My fantasy is that some one out there knows a key based analog to the
> standard java-authentication example. Providing a username and using
> xf:upload to locate the key seems simple enough, but wouldn't that post the
> private key across the net to the server?
>
> Any ideas or links to ideas would be much appreciated.
> --
> View this message in context: http://www.nabble.com/Looking-for-an-authentication-approach-tp24699360p24699360.html
> Sent from the ObjectWeb OPS - Users mailing list archive at Nabble.com.
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Colin Berry
Reply | Threaded
Open this post in threaded view
|

Re: Looking for an authentication approach

Colin Berry
What I need is a way to issue keys or certificates to a few trusted users (some of whom are kiosks, not actual people) allowing them to log on to the private areas without restricting open access to the public areas. Since the public area is standard xhtml walling off the tomcat/orbeon area makes good sense.
Some off line communication has convinced me to try ssl client authentication.  I think I have that configured for tomcat6 on my laptop. (Couldn't get it to work with tomcat5.5). Once I test it and  install ops into tomcat6 the only remaining challenge will be getting the user name back with oxf:request security or something similar.

Has anybody had experience with this?
 
Erik Bruchez wrote
Colin,

So really you are looking for something different from regular
username/password authentication, or did I get that wrong?

-Erik

On Tue, Jul 28, 2009 at 7:40 AM, Colin Berry<cberrymd@yahoo.com> wrote:
>
> I know that this is a more generic question, but since all my secure web apps
> are orbeon based I am most interested in your suggestions. My app will only
> need to be remotely accessible to a small number (say ten) of hand picked
> users. All of whom now access the server via ssh or putty using key based
> authentication.  Local use of ssh  would also be helpful as it would prevent
> multiple password entries, but not really essential for security as it all
> takes place under my direct physical control.
>
> My fantasy is that some one out there knows a key based analog to the
> standard java-authentication example. Providing a username and using
> xf:upload to locate the key seems simple enough, but wouldn't that post the
> private key across the net to the server?
>
> Any ideas or links to ideas would be much appreciated.
> --
> View this message in context: http://www.nabble.com/Looking-for-an-authentication-approach-tp24699360p24699360.html
> Sent from the ObjectWeb OPS - Users mailing list archive at Nabble.com.
>
>
>
> --
> You receive this message as a subscriber of the ops-users@ow2.org mailing list.
> To unsubscribe: mailto:ops-users-unsubscribe@ow2.org
> For general help: mailto:sympa@ow2.org?subject=help
> OW2 mailing lists service home page: http://www.ow2.org/wws
>
>


--
You receive this message as a subscriber of the ops-users@ow2.org mailing list.
To unsubscribe: mailto:ops-users-unsubscribe@ow2.org
For general help: mailto:sympa@ow2.org?subject=help
OW2 mailing lists service home page: http://www.ow2.org/wws
Free forum by Nabble Edit this page