[OAI-implementers] Autentication in OAI-PMH

Filipe Correia fcorreia at gmail.com
Sat Jul 31 06:16:20 EDT 2010


Everyone, thank you for the feedback!


Cheers,
Filipe Correia


On Fri, Jul 30, 2010 at 4:43 PM, Michael Nelson <mln at cs.odu.edu> wrote:
>
> just to echo Jeff's comment: solve your auth problems with http.
>
> Although I can't recall any examples, it is my understanding that there are
> many instances of harvesters & repos currently doing this.
>
> regards,
>
> Michael
>
> On Fri, 30 Jul 2010, Young,Jeff (OR) wrote:
>
>> Filipe,
>>
>> OAI-PMH uses HTTP as a transport layer and isn't fussy about what happens
>> under the HTTP covers. If you use proper HTTP status codes (e.g. 401/403)
>> and headers (e.g. "WWW-Authenticate") to manage the authentication, there
>> doesn't seem to be any wording in the OAI-PMH standard that would be
>> problematic.
>>
>>
>> http://www.openarchives.org/OAI/openarchivesprotocol.html#HTTPResponseFormat
>>
>> http://tools.ietf.org/html/rfc2616#section-10.4.2
>> http://tools.ietf.org/html/rfc2616#section-10.4.4
>> http://tools.ietf.org/html/rfc2616#section-11
>>
>> Solving this according to Web standard authentication procedures be
>> praiseworthy.
>>
>> I wouldn't worry about ideology of the protocol being "Open". It's just a
>> protocol.
>>
>> Jeff
>>
>>> -----Original Message-----
>>> From: oai-implementers-bounces at openarchives.org [mailto:oai-
>>> implementers-bounces at openarchives.org] On Behalf Of Filipe Correia
>>> Sent: Friday, July 30, 2010 9:07 AM
>>> To: jlb at ist.utl.pt
>>> Cc: oai-implementers at openarchives.org
>>> Subject: Re: [OAI-implementers] Autentication in OAI-PMH
>>>
>>> Thank you for the quick reply José!
>>>
>>>> Please be aware that the "O" in "OAI" really intends to mean "Open"!
>>>
>>> In that
>>>>
>>>> sense you are raising a relevant requirement for your project, but in
>>>
>>> fact it
>>>>
>>>> intentionally never was a requirement for the OAI community...
>>>
>>> Well, I was afraid of that... :-)
>>>
>>>
>>>> Anyway, there are many "strategies" you can apply to still keep using
>>>
>>> the
>>>>
>>>> basic OAI-PMH principles and on the same time apply your
>>>
>>> requirement... You
>>>>
>>>> can start by using a VPN, but maybe other very simple one, that just
>>>
>>> came now
>>>>
>>>> to my mind, would be to have from the server side an implementation
>>>
>>> of the
>>>>
>>>> delivery of the data sets dependent from the IP address of the client
>>>
>>> (I mean,
>>>>
>>>> you just need to customize a server for that, so for unknown IPs the
>>>
>>> server
>>>>
>>>> gives the "public" data, and the "private" data only to known and
>>>
>>> previously
>>>>
>>>> registered IPs...). Just an idea...
>>>
>>> That's definitely an option to consider, I'm going to look into it
>>> more thoroughly. I'm concerned about what happens when institutional
>>> networks are involved. For example, if behind a given IP address
>>> there's an whole network of computers, by authorizing that IP address
>>> we may be granting access to more harvesters (or individuals) than
>>> intended.
>>>
>>> I've just thought of a possible alternative, and would love to know
>>> your thoughts about it:
>>> Harvesting an OAI-PMH provider is made entirely through HTTP calls, so
>>> maybe one could use HTTP's basic-authentication? Even if the OAI-PMH
>>> protocol doesn't say that servers should challenge harvesters for
>>> authentication, if a harvester does provide authentication information
>>> (more specifically, if it provides HTTP basic-auth credentials, sent
>>> on the HTTP headers), the harvester could act accordingly. This way,
>>> the OAI-PMH provider would remain compatible with "normal" harvesters,
>>> to which it would provide only the "public" records. But it would be
>>> able to provide additional records to harvesters providing
>>> credentials.
>>>
>>> Do you see any reason why this could not work? Please warn me if you
>>> think it's a bad practice for some reason :-)
>>>
>>>
>>> --
>>> Filipe Figueiredo Correia
>>> PhD Student @ FEUP
>>> Software Engineer @ ParadigmaXis
>>>
>>> _______________________________________________
>>> OAI-implementers mailing list
>>> List information, archives, preferences and to unsubscribe:
>>> http://www.openarchives.org/mailman/listinfo/oai-implementers
>>>
>>
>>
>>
>> _______________________________________________
>> OAI-implementers mailing list
>> List information, archives, preferences and to unsubscribe:
>> http://www.openarchives.org/mailman/listinfo/oai-implementers
>>
>
> ----
> Michael L. Nelson mln at cs.odu.edu http://www.cs.odu.edu/~mln/
> Dept of Computer Science, Old Dominion University, Norfolk VA 23529
> +1 757 683 6393 +1 757 683 4900 (f)
> _______________________________________________
> OAI-implementers mailing list
> List information, archives, preferences and to unsubscribe:
> http://www.openarchives.org/mailman/listinfo/oai-implementers
>
>
>



-- 
Filipe Figueiredo Correia
PhD Student @ FEUP
Software Engineer @ ParadigmaXis



More information about the OAI-implementers mailing list