Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Orion/Security

Authentication

Orion has an extensible authentication scheme that is provided by the server. A 401 response to any Orion service is accompanied by JavaScript in the response body that performs authentication. The script auth.js provides helper methods for handling authentication on the client side. These methods are inserted in client code wherever xhr calls to the server are made:

  dojo.xhrGet({
    ...
    error: function(response, ioArgs) {
      handleGetAuthenticationError(this, ioArgs); // <- helper method
      return response;
    }
  });

The example server currently provides support for Basic HTTP authentication, form-based authentication, and authentication using OpenID.

Authorization

Orion currently uses a simple authorization system based entirely on request URIs. User names are granted authorization for a given URI prefix, which allows GET/PUT/POST operations on any service or resource starting with that prefix. This model will be extended to support controlling what HTTP methods are supported for a given prefix, to allow for example read access without write access to a URI space.

Encryption

The Orion example server currently supports encrypted communication via HTTPS, as well as unencrypted HTTP communication.

Persistence of User Data

Sensitive user information such as passwords are stored in an encrypted data store using Equinox Secure Preferences. This data is found in the server workspace (the location specified by the -data argument when starting the server). Within the workspace, the encrypted store is found at <workspaceLocation>/.metadata/.plugins/org.eclipse.orion.server.user.securestorage/user_store. This storage location is encrypted with a master password that is either provided by a native key store (Windows and Mac OS X), or via a password supplied by the "orion.storage.password" system property.

Future Work

  • Delegated authorization using OAuth, so other web services can have limited access to a set of orion services when approved by the user.
  • Extended authorization model that support controlling what HTTP methods are supported for a given prefix.
  • LDAP-based authentication

Back to the top