how to bypass basic authentication by AJAX

I want to create a gmail Portlet, which will show me tha all
unread
gmail email msg.

For this I am using google https://mail.g
oogle.com/mail/feed/atom ATOM
feed and AJAX.

Now the problem is , for to get the mail feed I need to
bypass the
basic authentication.


Could anyone tell me how can I bypass the authentication or
pass the
userid and passwd with this url ?

I am using IBM websphere Portal and JSR portal API


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Google AJAX API" group.
To post to this group, send email to
Google-AJAX-Search-APIgooglegroups.com
To unsubscribe from this group, send email to
Google-AJAX-Search-API-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/Google-AJAX-Search-API
?hl=en
-~----------~----~----~----~------~----~------~--~---

First, from a practical standpoint, if you bypass
authentication,
Gmail won't know whose mail you're wanting to monitor. 
Second, from a
security standpoint, allowing such a backdoor/bypass (let
alone
allowing it to be publicized) would be an absolute
nightmare.

That said, there is a way to include the userid and password
in the
URL, but you'll have to decide if it's worth the security
risk.
According to the GMail Help Center, you could request the
following
url:

https://username:passwordmail.google.com/mail/feed/atom

Doing that, though, will have two potentially - and one
definitely -
critical security problems.  First, due to the same origin
restriction
of the AJAX Feeds API (and all AJAX applications), you will
have to
pass the url back to a server (in this case, Google) that
can request
the feed.  This introduces the possibility that someone with
access to
that server can see your username and password and thus gain
access to
your mail account.  Second, as a byproduct of AJAX's same
origin
restriction, Google servers are required to crawl all feeds
requested
via the AJAX Feeds API.  To speed these requests and limit
the demand
on server resources and bandwidth, Google caches all feeds. 
That
would include your mail feed, potentially allowing someone
else to
gain access to your messages.  And third, most importantly,
to use
this approach with the Feeds API, you will have to include
your
username and password somewhere in your Javascript.  Maybe
you'll set
it up so that it's only accessible to specific users, but
let's say
that specific user walks away from the terminal for five
minutes and
some less-than-upstanding citizen slides in.  A couple of
key strokes,
and they have username and password.

Granted, Google likely has stringent security.  And they
already have
access to your account (they are, after all, the proprietors
of
GMail), so the first two of these security concerns probably
aren't
all that great, but the third one, in my book, definitely
is.  In
other words, I would strongly urge you to think three or
four times
before you choose to deploy such a system.

Jeremy R. Geerdes
Effective website design & development
Des Moines, IA

For more information or a project quote:
http://jgeerdes.home.m
chsi.com
jgeerdesmchsi.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Google AJAX API" group.
To post to this group, send email to
Google-AJAX-Search-APIgooglegroups.com
To unsubscribe from this group, send email to
Google-AJAX-Search-API-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/Google-AJAX-Search-API
?hl=en
-~----------~----~----~----~------~----~------~--~---

Thanks a lot for your response...I really appreciate it

bypass basic authentication I mean to say to avoid that
pop-up. How
can I pass the userid and passwd along with feed url or
request..so
that it will not ask for userid and passwd by pop-up

and the bad news is that :
https://username:passw...mail.google.com/mail/feed/atom  this url not
supported anymore by IE (6.0 onward).

Now actually I have 2 option

1. By AJAX :  Google proving a atom feed, so I think there
shlould be
way to provide userid and passwd.

2. by using IBM Portal credential vault.

by 2nd approach its working fine for me, and its storing the
passwd in
valut.


On Aug 27, 6:03 pm, jgeerdes <jgeer...mchsi.com> wrote:
> First, from a practical standpoint, if you bypass
authentication,
> Gmail won't know whose mail you're wanting to monitor. 
Second, from a
> security standpoint, allowing such a backdoor/bypass
(let alone
> allowing it to be publicized) would be an absolute
nightmare.
>
> That said, there is a way to include the userid and
password in the
> URL, but you'll have to decide if it's worth the
security risk.
> According to the GMail Help Center, you could request
the following
> url:
>
> https://username:passw...mail.google.com/mail/feed/atom
>
> Doing that, though, will have two potentially - and one
definitely -
> critical security problems.  First, due to the same
origin restriction
> of the AJAX Feeds API (and all AJAX applications), you
will have to
> pass the url back to a server (in this case, Google)
that can request
> the feed.  This introduces the possibility that someone
with access to
> that server can see your username and password and thus
gain access to
> your mail account.  Second, as a byproduct of AJAX's
same origin
> restriction, Google servers are required to crawl all
feeds requested
> via the AJAX Feeds API.  To speed these requests and
limit the demand
> on server resources and bandwidth, Google caches all
feeds.  That
> would include your mail feed, potentially allowing
someone else to
> gain access to your messages.  And third, most
importantly, to use
> this approach with the Feeds API, you will have to
include your
> username and password somewhere in your Javascript. 
Maybe you'll set
> it up so that it's only accessible to specific users,
but let's say
> that specific user walks away from the terminal for
five minutes and
> some less-than-upstanding citizen slides in.  A couple
of key strokes,
> and they have username and password.
>
> Granted, Google likely has stringent security.  And
they already have
> access to your account (they are, after all, the
proprietors of
> GMail), so the first two of these security concerns
probably aren't
> all that great, but the third one, in my book,
definitely is.  In
> other words, I would strongly urge you to think three
or four times
> before you choose to deploy such a system.
>
> Jeremy R. Geerdes
> Effective website design & development
> Des Moines, IA
>
> For more information or a project quote:http://jgeerdes.home.m
chsi.com
> jgeer...mchsi.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Google AJAX API" group.
To post to this group, send email to
Google-AJAX-Search-APIgooglegroups.com
To unsubscribe from this group, send email to
Google-AJAX-Search-API-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/Google-AJAX-Search-API
?hl=en
-~----------~----~----~----~------~----~------~--~---