[Clipart] XML hierarchies, the DMS, daemons, and Debian

Bryce Harrington bryce at bryceharrington.com
Sat Oct 16 10:10:18 PDT 2004

On Sat, 16 Oct 2004, Jonadab the Unsightly One wrote:
> Bryce Harrington <bryce at bryceharrington.com> writes:
> >> Makes sense to me.  Account creation and login should use https;
> >> the rest of the site can stay on http.
> >
> > Do we need to mess with certificates in order to do this?  
> You've got me.  I know what https is good for, but I've until now
> never used it except on the client side.  Guess it's time to learn.

I was fiddling with SOAP authentication yesterday and made some good
progress with it.  I got it working in my dev environment, but the
code's pretty messy so I need to spend another day on it.  

How this system works is that the client issues a login() command to the
server with the username/password.  If accepted, the server returns a
ticket that contains the auth info, including an md5 signature and
timeout parameter.  The client can then hang onto this ticket, and use
it by putting it into the SOAP header of any protected calls it wishes
to make.  

I still haven't figured out the https bit yet.  The above still uses
http for the login() so is not as secure as we'd like.  


More information about the clipart mailing list