[sldev] More about viewer auth in today's RC

[Lawson English]

Anders Arnholm wrote:
> On Tue, Dec 04, 2007 at 03:47:17PM -0800, Tess Chu wrote:
>
>   
>> Much of the ensued debate centered around the relative security of the old 
>> xml-rpc based approach versus the new approach of using HTML.  We *weren't* 
>> necessarily trying to make the mechanism itself more secure (we believe 
>>     
>
>   
There are apparently 2 different ways to go:

1) viewer(browser) => webpage => url+UUID (cap) => viewer

or

2) 3rd part browser => webpage => url + UUID (cap) => viewer


that cap retrieved from the webpage replaces the password that used to 
be input directly into the viewer, so the xmlrpc call remains identical 
except  the key/value pair:

'web_login_key': UUID

replaces the key/value pair:

'password': '$1$' + MD5_endcoded_password


Python scripts to handle the login are found here though you gotta 
replace the key/value pairs in the source yourself for the xml-rpc call  
because I'm lazy:

https://wiki.secondlife.com/wiki/Example_protocol_code



Lawson




> Much of this because you, (meaning the lindens) described the method as:
>
>  web (IE/Safari/firefox) -> viewer
>
> Not as it is:
>
>  viewer -> super speical http/html (+something?) brower lookalike thing
>  -> info to viewer
>
> The issues and compatibility problems ate totally different the problem
> domain is totally different. Now we can wounder what the heck is needed
> from the viewer to work? CSS? JavaScript? Image rendering? This browser is
> apparently able to save into, and have a button for it in the
> webpage, what does that mean? What is the protocol used to steer the
> special viewer... A descriptions, some code maybe descriptions and
> specifications here probably much more important that code.
>
> / Balp
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>