Password ciphering available in CAXL?

duncan_at_hive · ‎01-16-2015

Hi there,

I am currently working with the CAXL library to integrate IM&P into a Web Portal. I am looking to get around having to exposing the user's plain text password in the browser when performing client.connect(username, password), and I saw mentioned in a question regarding the Jabber SDK the use of a password cipher when using "cwic". However I've not seen anything similar mentioned for just using CAXL's "client" by itself.

Does anyone know if this something that is available in CAXL? Or will this have to be a custom solution on our part?

Many thanks for any help,

Duncan

npetrele · ‎01-16-2015

Hi Duncan,

Could you clarify your concern here? If you're using a secure connection (HTTPS), the password won't go over the wire in plaintext. Or are you concerned that some other browser app (like another page or a plugin) would be able to see the password?

duncan_at_hive · ‎01-16-2015

Hi Nicholas,

Firstly, thanks so much for your speedy reply! My concern is the latter actually, having to expose the password to the browser. I know that this would have limited damaging effects should someone choose to try to abuse this, but it's still a big concern for me.

My initial thought if there was nothing out of the box that CUCM IMP provided was to have a two-way shared secret between the portal server and a proxy server sitting IN FRONT OF the BOSH server. The portal server would hash the password and expose it to the browser. The browser would talk to the proxy server rather than the BOSH server directly, and the proxy server would decode the password in the Authentication XMPP call before passing it on to the real BOSH server. It'd be a little fiddly to implement but not too difficult...

Thanks,

Duncan