Re: [xsl] HTTP authentication support

Subject: Re: [xsl] HTTP authentication support
From: Abel Braaksma <>
Date: Tue, 04 Sep 2007 00:08:04 +0200
Robert Koberg wrote:
How are you suggesting these should work?
The simplest approach is merely to recognize URLs in the form https://user:pass@host/

That is secure for what? Classroom examples?

This is not about security, it is about authentication. They are related, but not the same. Basic Authentication (which could be what is expressed above) is not secure at all: the password is send in plain text over the internet and it doesn't really matter whether you type it or not. Digest authentication is a bit more secure, but still fairly easy to crack. SSL, of course, is the way to go when you want it secure because your data becomes virtually unreadable, but you usually combine it with some way of authentication, next to your certificate + encryption.

In almost all systems where some layer needs to access another layer (ORM needs access to RDBMS, Ant needs access to CVS etc) automatically, passwords are stored inside the code/pwd files/settings files, sometimes encrypted, sometimes not. The security then does not depend on this visible password on the system, but on the way this system is secured from the rest of the world.

So, to answer your question: it is as secure as any system that needs an (automatic) secured connection to another system (and obviously you don't need to store the password/username inside the XSLT).

-- Abel Braaksma

Alternatively, you can, of course, make it all interactive. If I use Eclipse (or is it Oxygen?) to run a stylesheet that tries to get data from a challenge/response type of connection, it is so kind to ask me for a password, even when I do it with XSLT. But then, this password is send unencrypted (unless it is SSL of course, but than still, anybody with access to my computer will be able to get the information through keyloggers).

Current Thread