<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi,<br>
      <br>
      some comments below.<br>
      <br>
      Be aware that as expected, we just released signedrequest +
      rqlcontroller (for now in
      <a class="moz-txt-link-freetext" href="http://download.logilab.org/acceptance/">http://download.logilab.org/acceptance/</a>).<br>
      <br>
      Your feedback is very welcome if you find any time to test them.<br>
      <br>
      Cheers,<br>
      Florent.<br>
      <br>
      Le 13/03/2014 11:24, Jinpeng Li a écrit :<br>
    </div>
    <blockquote
cite="mid:CAJyccHy9oC7F7WW4Z8C94tCdaSKLiMRm48YD8RmJh2CJo+VUhw@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi,
        <div><br>
        </div>
        <div>I don't know how cubicweb.dbapi is going be in the future;
          now apparently cubicweb chooses api key authorization
          according to the development of signedrequest/rqlcontroller.</div>
        <div>
          <br>
        </div>
        <div>In fact, I would like to mention that both api key
          authorization and username/password authorization exist in the
          webservice industry.</div>
        <div><br>
        </div>
        <div><a moz-do-not-send="true"
href="https://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization">https://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization</a></div>
        <div>```</div>
        <div>API keys originated with the first public web services,
          like Yahoo and Google APIs. <br>
        </div>
        <div>Twitter simplifies things for their users by using
          usernames and passwords for API authentication. </div>
        <div>```<br>
          <div class="gmail_extra">In my opinion, the most difficult
            point is how to securely store login and password in client
            problem using python, or each time human user type login and
            password for the program.</div>
          <div class="gmail_extra"><br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    The login/ password way is natively supported by cubicweb (pass
    __login=XXX and __password=YYY in the url or as url-encoded post
    arguments will automatically log you before processing the request
    further).<br>
    <br>
    <blockquote
cite="mid:CAJyccHy9oC7F7WW4Z8C94tCdaSKLiMRm48YD8RmJh2CJo+VUhw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div class="gmail_extra">In addition, considering the
            compatibility, signedrequest/rqlcontroller could provide
            two authorization ways; they are not conflict.</div>
          <div class="gmail_extra">
            <br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    signedrequest also signs the request, which aims at being immune to
    a man in the middle. The password approach requires https.<br>
    <br>
    <blockquote
cite="mid:CAJyccHy9oC7F7WW4Z8C94tCdaSKLiMRm48YD8RmJh2CJo+VUhw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div class="gmail_extra">It would be better to leave cubicweb
            team to answer the future development problem.</div>
          <div class="gmail_extra"><br>
          </div>
          <div class="gmail_extra">Best,<br>
            Jinpeng<br>
            <br>
            <div class="gmail_quote">
              On Thu, Mar 13, 2014 at 10:20 AM, Yann Cointepas <span
                dir="ltr"><<a moz-do-not-send="true"
                  href="mailto:yann@cointepas.net" target="_blank">yann@cointepas.net</a>></span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                <div dir="ltr">
                  <div>
                    <div>
                      <div>Hi,<br>
                        <br>
                      </div>
                      I probably made things confusing by talking about
                      a link between password and
                      signedrequest/rqlcontroller. Let's get back to a
                      simple user question.<br>
                      <br>
                    </div>
                    When cubicweb.dbapi is obsolete, how CubicWeb will
                    make it possible for a user to use its own
                    collection of Python scripts using RQL to access a
                    CubicWeb instance (not a single application,
                    possibly used on several devices located on several
                    sites) ? Today using cubicweb.dbapi with
                    login/password is very simple and flexible. How it
                    is going to be in the future ?<span class=""><font
                        color="#888888"><br>
                        <br>
                      </font></span></div>
                  <span class=""><font color="#888888">      Yann<br>
                      <div class="gmail_extra"><br>
                      </div>
                    </font></span></div>
              </blockquote>
            </div>
            <br>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Cubicweb mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cubicweb@lists.cubicweb.org">Cubicweb@lists.cubicweb.org</a>
<a class="moz-txt-link-freetext" href="http://lists.cubicweb.org/mailman/listinfo/cubicweb">http://lists.cubicweb.org/mailman/listinfo/cubicweb</a>
</pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 

Florent Cayré

LOGILAB S.A.                      104, bd Auguste Blanqui 75013 PARIS
                                  tél +33 (0)1.45.32.03.12
                                  tél +33 (0)1.83.64.25.26
Formations Python, Debian, XP     <a class="moz-txt-link-freetext" href="http://www.logilab.fr/formations">http://www.logilab.fr/formations</a>
Développement logiciel sur mesure <a class="moz-txt-link-freetext" href="http://www.logilab.fr/services">http://www.logilab.fr/services</a>
Python et calcul scientifique     <a class="moz-txt-link-freetext" href="http://www.logilab.fr/science">http://www.logilab.fr/science</a>
Gestion des connaissances         <a class="moz-txt-link-freetext" href="http://www.logilab.fr/gestion-connaissances">http://www.logilab.fr/gestion-connaissances</a>
CubicWeb, semantic web framework  <a class="moz-txt-link-freetext" href="http://www.cubicweb.org">http://www.cubicweb.org</a>
</pre>
  </body>
</html>