Robert Koberg wrote:
How are you suggesting these should work?
The simplest approach is merely to recognize URLs in the form
https://user:pass(_at_)host/
That is secure for what? Classroom examples?
This is not about security, it is about authentication. They are
related, but not the same. Basic Authentication (which could be what is
expressed above) is not secure at all: the password is send in plain
text over the internet and it doesn't really matter whether you type it
or not. Digest authentication is a bit more secure, but still fairly
easy to crack. SSL, of course, is the way to go when you want it secure
because your data becomes virtually unreadable, but you usually combine
it with some way of authentication, next to your certificate + encryption.
In almost all systems where some layer needs to access another layer
(ORM needs access to RDBMS, Ant needs access to CVS etc) automatically,
passwords are stored inside the code/pwd files/settings files, sometimes
encrypted, sometimes not. The security then does not depend on this
visible password on the system, but on the way this system is secured
from the rest of the world.
So, to answer your question: it is as secure as any system that needs an
(automatic) secured connection to another system (and obviously you
don't need to store the password/username inside the XSLT).
Cheers,
-- Abel Braaksma
Alternatively, you can, of course, make it all interactive. If I use
Eclipse (or is it Oxygen?) to run a stylesheet that tries to get data
from a challenge/response type of connection, it is so kind to ask me
for a password, even when I do it with XSLT. But then, this password is
send unencrypted (unless it is SSL of course, but than still, anybody
with access to my computer will be able to get the information through
keyloggers).
--~------------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--