how to bypass basic authentication by AJAX
Suprakash
I want to create a gmail Portlet, which will show me tha all unread
gmail email msg.
For this I am using google https://mail.google.com/mail/feed/atom ATOM
feed and AJAX.
Now the problem is , for to get the mail feed I need to bypass the
basic authentication.
Could anyone tell me how can I bypass the authentication or pass the
userid and passwd with this url ?
I am using IBM websphere Portal and JSR portal API
Suprakash
jgeerdes
Gmail won't know whose mail you're wanting to monitor. Second, from a
security standpoint, allowing such a backdoor/bypass (let alone
allowing it to be publicized) would be an absolute nightmare.
That said, there is a way to include the userid and password in the
URL, but you'll have to decide if it's worth the security risk.
According to the GMail Help Center, you could request the following
url:
https://username:pass...@mail.google.com/mail/feed/atom
Doing that, though, will have two potentially - and one definitely -
critical security problems. First, due to the same origin restriction
of the AJAX Feeds API (and all AJAX applications), you will have to
pass the url back to a server (in this case, Google) that can request
the feed. This introduces the possibility that someone with access to
that server can see your username and password and thus gain access to
your mail account. Second, as a byproduct of AJAX's same origin
restriction, Google servers are required to crawl all feeds requested
via the AJAX Feeds API. To speed these requests and limit the demand
on server resources and bandwidth, Google caches all feeds. That
would include your mail feed, potentially allowing someone else to
gain access to your messages. And third, most importantly, to use
this approach with the Feeds API, you will have to include your
username and password somewhere in your Javascript. Maybe you'll set
it up so that it's only accessible to specific users, but let's say
that specific user walks away from the terminal for five minutes and
some less-than-upstanding citizen slides in. A couple of key strokes,
and they have username and password.
Granted, Google likely has stringent security. And they already have
access to your account (they are, after all, the proprietors of
GMail), so the first two of these security concerns probably aren't
all that great, but the third one, in my book, definitely is. In
other words, I would strongly urge you to think three or four times
before you choose to deploy such a system.
Jeremy R. Geerdes
Effective website design & development
Des Moines, IA
For more information or a project quote:
http://jgeerdes.home.mchsi.com
jgee...@mchsi.com
Suprakash
bypass basic authentication I mean to say to avoid that pop-up. How
can I pass the userid and passwd along with feed url or request..so
that it will not ask for userid and passwd by pop-up
and the bad news is that :
https://username:passw...@mail.google.com/mail/feed/atom this url not
supported anymore by IE (6.0 onward).
Now actually I have 2 option
1. By AJAX : Google proving a atom feed, so I think there shlould be
way to provide userid and passwd.
2. by using IBM Portal credential vault.
by 2nd approach its working fine for me, and its storing the passwd in
valut.
On Aug 27, 6:03 pm, jgeerdes <jgeer...@mchsi.com> wrote:
> First, from a practical standpoint, if you bypass authentication,
> Gmail won't know whose mail you're wanting to monitor. Second, from a
> security standpoint, allowing such a backdoor/bypass (let alone
> allowing it to be publicized) would be an absolute nightmare.
>
> That said, there is a way to include the userid and password in the
> URL, but you'll have to decide if it's worth the security risk.
> According to the GMail Help Center, you could request the following
> url:
>
> https://username:passw...@mail.google.com/mail/feed/atom