Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Communications Framework (ECF) » Unable to pass credentials through URL to an HTTP Server
Unable to pass credentials through URL to an HTTP Server [message #1202977] Fri, 22 November 2013 12:12 Go to next message
Victor Roldan Betancort is currently offline Victor Roldan Betancort
Messages: 524
Registered: July 2009
Senior Member
Hello all,

some time ago we started using our own P2 Sites to distribute our binaries, and thats behind a artifact management system called Artifactory. We found P2 had problems on resolving HTTP URLs containg credentials. You may find more information on the original post:

http://www.eclipse.org/forums/index.php/t/556492/

So we concluded the HttpClient implementation of ECF does not support fetching credentials from the URL and passing it to the server.

The issue found at:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=307477

fixed the correct parsing of the http://<user>:<pass>@host:port format. But it did not actually implement passing these credentials to the server.

My question here is: is there any reason this feature is not implemented (for example, security reasons, being a non-standard feature...). In case there is no reason, would a contribution be accepted?

Cheers,
Víctor.
Re: Unable to pass credentials through URL to an HTTP Server [message #1203455 is a reply to message #1202977] Fri, 22 November 2013 17:19 Go to previous messageGo to next message
Scott Lewis is currently offline Scott Lewis
Messages: 971
Registered: July 2009
Senior Member
Hi Victor,

>My question here is: is there any reason this feature is not implemented (for example, security reasons, being a non-standard >feature...). In case there is no reason, would a contribution be accepted?

I think the primary reason no more was done here was that the resolution on the previous bug (307477) was contributed by Ireneusz Spinalski...and I/we assumed that this was all that was needed.

I would therefore be open to other additional contributions here...although I'm curious...what authentication mechanism is going to used the url-encoded password? (Basic auth, or others)? Also...given the url-encoded password is fully in the clear...are p2 repository owners really going to want to expose content via these urls? I guess I had previously assumed that the use case for this was so limited that perhaps it warranted simply creating a new filetransfer provider (based upon httpclient4)...rather than building in this functionality to the existing provider.



Re: Unable to pass credentials through URL to an HTTP Server [message #1211461 is a reply to message #1203455] Tue, 26 November 2013 12:52 Go to previous message
Victor Roldan Betancort is currently offline Victor Roldan Betancort
Messages: 524
Registered: July 2009
Senior Member
Quote:

I think the primary reason no more was done here was that the resolution on the previous bug (307477) was contributed by Ireneusz Spinalski...and I/we assumed that this was all that was needed.


Thats exactly what I though. Probably they didn't intend to authenticate anything, but rather to have the framework parse that URL syntax properly. Still, makes not much sense to me.

Quote:

I would therefore be open to other additional contributions here...although I'm curious...what authentication mechanism is going to used the url-encoded password? (Basic auth, or others)? Also...given the url-encoded password is fully in the clear...are p2 repository owners really going to want to expose content via these urls? I guess I had previously assumed that the use case for this was so limited that perhaps it warranted simply creating a new filetransfer provider (based upon httpclient4)...rather than building in this functionality to the existing provider.


I'm not an expert in HTTP authentication, but:

a) In our case, basic auth would go through HTTPS

b) No, its not ideal to have credentials in the P2 URL, but Bucky currently does not provide any other means to inject credentials. This feature is just missing, and surprising nobody ever asked about it.

I believe that also, somewhere in the call stack, P2 queries the Equinox Secure Storage for credentials, and that could help avoiding credentials in plain-text, but is not clear to be whats going on there. Maybe I should ask in the P2 forum.

If you still think this URL-encoded auth feature is welcome, I shall open a 'zilla.

Thanks for your support!
Víctor Roldán [Open Canarias]
Previous Topic:ECF logo contest
Next Topic:Can't Connect to ECF Server
Goto Forum:
  


Current Time: Sun Oct 26 03:40:58 GMT 2014

Powered by FUDForum. Page generated in 0.02279 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software