Forum OpenACS Q&A: Re: Password in ClearText

Collapse
Posted by Tom Jackson on

First off, I think you must totally misunderstand the way authentication and security are handled in OpenACS. Basic or digest authentication simply will not work with OpenACS. They don't use the same semantics as OpenACS authentication. So authentication to view a page is one issue, this is handled with a the OpenACS permission system. The other is security of the data passing over the network. We have that with ssl.

Is this your only issue with OpenACS, it seems like a non-obvious place to start?

Collapse
Posted by Jeff Davis on
Tom, it's not at all clear to me why you couldn't use digest authentication on the page that grants the auth token. Maybe you could elaborate here on why that wouldn't work...

Andrew, I say javascript is a waste since most of the painful authentication experiences I have had have been with ecommerce sites who have "rolled their own" in javascript. Of course you can say "just get it right and everything works smoothly and if someone turns off javascript they just can't use the site" but I think given that ssl will just work and is in fact much more secure it's a waste to add something that will definitely lock some people out and provides only a moderate amount of security and especially a waste if we could make digest authentication work for granting auth tokens.

I do think we got the ssl side right (with the notion of secure and insecure tokens, an easy way to restrict parts of the site to ssl, and login using ssl by default assuming ssl is available). I think we should have a way to say "disable logins if ssl is unavailable" but I expect that would not be at all hard to add.

Collapse
Posted by Tom Jackson on

Jeff, I guess the question is how would it work? First off, I didn't think AOLserver supported digest authentication. But maybe that isn't what is being talked about here.

I think I'd rather leave it to someone who thinks this is important to actually write up a working example. It seems pretty useless trying to convince someone who prefers MySQL over PG or Oracle to take my word for it anyway.

Andrew S, given all your other reservations about OpenACS listed in another thread, I would recommend looking elsewhere for your CMS solution. This one obviously isn't it. There are lots of products out there that meet your stated needs.

Advice is worth what you pay for it. So here is some: if you visit France, don't complain that they don't speak English. If you visit MIT, don't complain that there are a bunch of geeks hanging around and in your way. And if you don't like the length of your foot, get into therapy.