Re: [lyo-dev] Reuse HttpClient session in Browser

[Nils Kronqvist <nissekronqvist@xxxxxxxxxxx>]

Thanks for help - comments below .. I'll go with two logins, for now.

/N

==

Nils,

I would caution against this since the password can appear plaintext in the address bar, error pages, and history. Also depending on the server's logging settings, it could get put in a server log. The extra login is annoying, but I'm not sure it's worth the risk.

[Nils] Using the SWT Browser (http://help.eclipse.org/indigo/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Freference%2Fapi%2Forg%2Feclipse%2Fswt%2Fbrowser%2FBrowser.html) .. not showing the address field, and not sure you can get to the history ..  

One approach you might consider is to use OAuth. As part of the OAuth flow, you show a browser window for the user to login. This OAuth login actually establishes a session with RTC, so I don't think the user will have to login again when you show the preview.

[Nils] Hmm - I can authenticate using the Lyo OslcOAuthClient but not sure what to reuse from that authentication when opening the org.eclipse.swt.browser.Browser.. It has a setUrl method for setting the url, post data (i.e. encoded in url) and headers, and also a setCookies method. 

-- 
Samuel Padgett | IBM Rational | spadgett@xxxxxxxxxx

On 14 maj 2013, at 16:44, Michael Fiedler <fiedler.mf@xxxxxxxxx> wrote:

Since the session is https, the password is not in the clear over the wire.   But, unless your are taking extra steps, it is in the clear in memory.  Open a bug if there are any OSLC4J messages displaying plaintext passwords, though - that would be bad.

[Nils] No OSLC4J messages - the one I get is from Chrome. 

Regards,

Mike

On Mon, May 13, 2013 at 3:03 PM, Nils Kronqvist <nissekronqvist@xxxxxxxxxxx> wrote:

On 13 maj 2013, at 19:53, Michael Fiedler <fiedler.mf@xxxxxxxxx> wrote:

I don't believe this can be done (someone correct me if I'm wrong here).   RTC relies on session-specific information (cookies like JSESSIONID) to tell if you are authenticated.   Since the browser would have its own session, there's no way to "share" your existing JazzFormAuthClient's authentication.  The form auth code does do exactly what you did to login by hitting the j_security_check URL.   It follows some redirects to get there and picks up some cookies on the way.   So, that is not an incorrect way to do it.

[Nils] OK, thanks. I guess my main issue is the showing of the pw in plaintext in the error message. 

Are  you able to hit the login URL and then send the SWT Browser to the real url you want?

[Nils] Yes, that is working. 

Regards,

Mike

On Wed, May 8, 2013 at 12:14 AM, Nils Kronqvist <nissekronqvist@xxxxxxxxxxx> wrote:

Hi,

I'm using the JazzFormAuthClient (i.e. according to the RTCFormClient sample) to access ChangeRequests, and would like to open a SWT Browser on a preview url *without* having to authenticate again for the Browser. I found I could login by passing  https://myserver:9443/ccm/j_security_check?j_username=myname&j_password=mypassword for the Browser, but not sure if this is the right way to do it. Besides, I get a warning that the security certificate of the server is not valid on 1:st call (reason not related to this, but still ..) -- and then showing the url with the pw ... 

Also tried other ideas found on the net, but no luck so far. Any pointers ..?

Rgs,

/Nils K  

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/lyo-dev