[josm-dev] shocking - unsecure password sending!
Shaun McDonald
osm at shaunmcdonald.me.uk
Wed Oct 7 09:04:32 BST 2009
On 7 Oct 2009, at 07:09, Karl Guggisberg wrote:
>> Probably right although I'm sure a way can be found to save the
>> user from having to cut+paste the token.
> I'm afraid, it can't. If JOSM was a web application, it would be
> part of the OAuth protocol that the OSM
> website "calls back" JOSM with the request token. For a java rich
> client this is isn't possible.
>
> But wait a minute, don't we a have a remote control plugin which is
> "called back" by the OSM web site? Yes, sort of.
> We would need
> - the OSM page which generates the request token to include a link
> <a href="http://localhost:8888/oauth-request-token>Click to import
> the request token into JOSM</a>
> - JOSM to listen on port 8888 for such requests (similar to the
> remote plugin)
>
> This would be slightly less complicated from the users point of view
> but it's still not seamless.
> The user explicitly has to click on the link.
The callback url could be http://localhost:8888/oauth-request-token
thus taken straight to the application.
Or the page could have a http refresh meta html element to head to the
above url.
Shaun
More information about the josm-dev
mailing list