Forgive me is this is a standard newbie question...
I'm developing a firefox extension that talks with a server via a
RESTful API. Most REST discussions recommend using HTTP Auth (RFC
2617), but this solution isn't ideal because browsers keep the
authorization creditials until the browser is closed. This rules out
having multiple users on the same machine.
Is there a workaround to this?
Or, how terrible is it if I pass the username and password as part of
the URI? Everything is going over SSL, so it's not a security concern.
Hi, Forgive me is this is a standard newbie question... I'm developing a firefox extension that talks with a server via a RESTful API. Most REST discussions...
... Stan, *maybe* I stumbled across something a few days ago: http:// www.jalgermissen.com/blog/xmlhttp_and_auth.html I have not had the time to check this...
... I think you can reset the credentials by sending a request which causes the server to stop accepting the current credentials. That's just an idea, though...
Hi Stan, Lucas, ... It's important to understand why this is terrible, because there's a very elegant solution hidden underneath the terrible. Including the...
... You have to prompt the user again, for example you have an logout URI, with the same realm (browsers cache user/pass associated with the realm) and there...
... Unfortunately, human nature will likely kill your idea as it has in almost all applications for years now. Users have trouble remembering a single ...
Hi Andrzej, ... (snip) ... Fortunately, they don't need to. Each resource password is embedded in the corresponding URL. The user just clicks on hyperlinks,...
Tyler, Could you please explain how embedded hyperlinks work in Yurl or web-calculus? Take the case where I give you the Yurl for a Web resource where the ...
Bob Haugen
bob.haugen@...
Sep 24, 2005 4:42 pm
Hi Bob, ... When using capability URLs, such as in the web-calculus, your hypermedia web embodies not only your application state, but also your access policy....
Tyler, tell me if I understand correctly. Seems like this is a security by obscurity approach? I would not ordinarily be able to guess the embedded url ...
... Ok, so I might have a logical "resource" that knows about lots of other logical "resources", but my YURL design might need to have many capability-based...
Bob Haugen
bob.haugen@...
Sep 27, 2005 3:48 pm
Hi Hugh, ... You correctly understand the mechanism, but label it incorrectly with "security by obscurity". The embedded URL ...
... [hvw] Just seems to me a lot of resource owners might want to retain the authority over who gets access to the resource. They might want me to use the...
On Mon, 26 Sep 2005 14:57:39 -0500, "Hugh Winkler" <hughw@...> ... This is by design. You can grant a capability to somebody by copying it. This is close...
Hi Vincent, ... That's a good analogy. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ Name your...
... It's up to resource owners to choose recipients of this capability wisely. It's not good that it is so easy for them to choose unwisely, but that's an...
Hi Hugh, ... No, the location of the house is a guessable secret. Anyone wandering down the road will come across it. The specific construction of a particular...
Hi Hugh, ... I could very well log all accesses to the capability URL that I give you and send you a nasty letter if I decide abusive requests have been made...
p2p-hackers, meet rest-discuss. rest-discuss, I'd like to introduce you to p2p-hackers. RESTafarians: there is a long-running conversation on p2p-hackers...
... [hvw] I would have to have malicious intent, if I were to send along my password to someone. Whereas lots of security compromises could be accidental. I...
... You are not a good bet for such a scheme, then. That issue will resolve itself as part of the normal flow of capabilities. For example, the same problem...
Hi Hugh, ... Not necessarily... ... That email might also contain your username/password. After all, the password must be sent to you some way. For example, if...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email
