Robert Koberg wrote:
How are you suggesting these should work?

      
The simplest approach is merely to recognize URLs in the form 
https://user:pass@host/



    

That is secure for what? Classroom examples?

This is not about security, it is about authentication. They are 
related, but not the same. Basic Authentication (which could be what is 
expressed above) is not secure at all: the password is send in plain 
text over the internet and it doesn't really matter whether you type it 
or not. Digest authentication is a bit more secure, but still fairly 
easy to crack. SSL, of course, is the way to go when you want it secure 
because your data becomes virtually unreadable, but you usually combine 
it with some way of authentication, next to your certificate + encryption.



In almost all systems where some layer needs to access another layer 
(ORM needs access to RDBMS, Ant needs access to CVS etc) automatically, 
passwords are stored inside the code/pwd files/settings files, sometimes 
encrypted, sometimes not. The security then does not depend on this 
visible password on the system, but on the way this system is secured 
from the rest of the world.



So, to answer your question: it is as secure as any system that needs an 
(automatic) secured connection to another system (and obviously you 
don't need to store the password/username inside the XSLT).



Cheers,
-- Abel Braaksma


Alternatively, you can, of course, make it all interactive. If I use 
Eclipse (or is it Oxygen?) to run a stylesheet that tries to get data 
from a challenge/response type of connection, it is so kind to ask me 
for a password, even when I do it with XSLT. But then, this password is 
send unencrypted (unless it is SSL of course, but than still, anybody 
with access to my computer will be able to get the information through 
keyloggers).