« I dig the redesign..... | Main | Formatting Comments... »
20030509 Friday May 09, 2003

How to control access with Jabber? So know that I've got a password-embedding scheme worked out for e-mail and moblogger, I have to figure out a way to do something similar with Jabber. Currently, in what I have working, there is no password verification, but it is needed. It's necessary to prevent just any-old-Joe from posting to your weblog. Of course, they'd have to know the username for your blog IM user (this listens for new posts), but it probably wouldn't be hard to figure out. My first thought is to have the password as the first part of the message, and then the message after that. For instance: 

mypassword / Here is the rest of my post

I'd suggest doing this in the subject, but the problem with this is that you can send an IM without a subject, and I still want posts to succeed even if there's no subject (a.k.a. title). So whaddya think - would you be willing to type "password / rest of your IM" everytime to wanted to post to your weblog via IM?

BTW, the new server seems to be holding up quite nicely, eh? Posted in Java at May 09 2003, 06:37:11 AM MDT 4 Comments

Comments:

Instead of using a password in your IM posting (which feels a little awkward, IMHO), you could always limit posting access by jabber id. As long as the jabber server isn't compromised, an ID coming from foo@jabber.com should be (at least from what I've read) foo on the jabber.com server. I'm sure that spoofing, if even known to be possible, is non-trivial. If you set up foo@jabber.com as an address that you can post from, you'd be able to post from home or work, since you could have foo@jabber.com/Home and foo@jabber.com/Work, etc. I've read up a lot about Jabber, but I'm no expert. However this seems just as secure as a plaintext password in a subject email or a plaintext password in an IM conversation. Of course none of these is really secure, but usually secure enough for our purposes. :)

Posted by Matt Croydon on May 09, 2003 at 07:25 AM MDT #

Ack, sorry about the ugly comment. Next time I'll make use of the p tag.

Posted by Matt Croydon on May 09, 2003 at 07:27 AM MDT #

That's probably the best idea - thanks Matt!

Posted by Matt Raible on May 09, 2003 at 08:19 AM MDT #

Mark did this for blojsim via a valid-posters list as well. Basically, the list specified who is allowed to "converse" with (aka post to) your blog.

Posted by David Czarnecki on May 09, 2003 at 09:39 AM MDT #

Post a Comment:
  • HTML Syntax: Allowed