RE: documenting an incubator success story from Peter Williams on 2012-01-06 (public-xg-webid@w3.org from January 2012)

From: Peter Williams <home_pw@msn.com>
Date: Thu, 5 Jan 2012 21:11:26 -0800
To: <melvincarvalho@gmail.com>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-W561121CB97F6194EBE57D992950@phx.gbl>
take a look at  http://idweb.cloudapp.net:8080/ and then https://idweb.cloudapp.net/ (Its Microsoft sample code, and as normal I claim no credit for others' work). Buit they do something that feels quite right, and modern, concerning the handling of https and http, in a mixed https/http handoff environment. Its going someways along the lines where Henry is trying to go. He is trying to break the IETF-imposed model for TLS, that wanted SSl to be a matter of transport (controlled often by the load balancer). He wants it under application control, so it can work with applications that are wholly based on the uri scheme. he wants to be able to control client authn challenges and SSL connection/session teardown (but there is more to it than just that) In this demo, I assume that folks want to use the site for "public" data in either https or http modes. Its up to the user. Thus one can visit either root. Furthermore, it has to reveal both Turtle card on both an http and https endpoint (with aligned namespaces for the webid subject's graph). It also wants to show a default home page, in all cases. When going to a protected resource however, for example Directory, then two conditions are applied. First, IDPs are presented in such a condition 0 and one must pass the challenge havine selected one. Second, the IDPs response will be insufficient regardless of content, if one was not already on the https form of the Directory path (or any other similarly protected resouce set).  In the microsoft code, they apply a code/metadata  "attribute" to MVC action verb requiring such protection - thereby requiring the IDP behaviour (if one has no SP-side session with stored claims rebuilt using cookies, each round trip). And, a more core interceptor in the session handling module for websso handoffs from IDP requires that it be targeting an https URI. Thus, setting off an access attempt from an http e environment WILL induce the user to pass by a slected IDP (probably over https), but the IDP's return assertion "as delivered" will not pass the guard that knows it was all initiated from an http endpoint. The assertions good standing and even a sucessful mapping of claims onto an active account is not sufficient to be granted a session, given the https guard rule. Anyways try it.      
 > Date: Fri, 6 Jan 2012 00:41:24 +0100
> Subject: Re: documenting an incubator success story
> From: melvincarvalho@gmail.com
> To: home_pw@msn.com
> CC: public-xg-webid@w3.org
> 
> On 5 January 2012 21:16, Peter Williams <home_pw@msn.com> wrote:
> > Trying to decide if the first round of incubation has achieved anything, I
> > worked to put it ALL together in a working trial - telling the semantic web
> > value add, first and foremost.
> 
> I think so.
> 
> I follow about 100 projects on the web and this is one of the more
> active and innovative groups.
> 
> Lots of new people.
> 
> Lots of implementations.
> 
> Lots of ideas.
> 
> But still some work to do.  It's time to start building those apps! :)
> 
> >
> > The story is told here: http://tinyurl.com/7y9d5e7
> >
> > Is classy stuff what YOU guys have done. The proof of the classy-iness is in
> > the fact that I have not written a single line of code, and yet I could do
> > what is shown.
> >
> > Its was a pain getting here. But in 20 years of certs and having worked with
> > as powerful, full on directory theory as exists in the planet, Ive never
> > seen ANYTHING like it. Its that good.
Received on Friday, 6 January 2012 05:11:54 UTC