W3C home > Mailing lists > Public > www-jigsaw@w3.org > March to April 1998

Re: Authorization - requesting username & password in a filter

From: Paul Pazandak <pazandak@OBJS.com>
Date: Thu, 19 Mar 1998 16:57:10 -0600
Message-ID: <3511A3FD.7C99C8A8@OBJS.com>
To: Jigsaw Email List <www-jigsaw@w3.org>

Yves,

Thanks, that worked great! Now, I have a related problem. Here is a scenario:

I have two resources:
    - foo.html with username/password of foo/foo -- one MUST enter the
            proper username/password to see the file

    - bar.html
            - if the username/password is bar/bar then the user gets all of
                the file
            - if the username/password is foo/foo then the user gets some of it
            - otherwise, all of the confidential content is stripped out before
                sending it to the user

The problem is that if the user first views foo.html, the credential
has the value foo/foo & it hangs around on subsequent requests from a client.
Now, when he wants to view bar.html he may want to view all of the content
& therefore would need to be able to re-enter a username/password (specifically,
bar/bar). Is there anyway a client can cause this to occur? Otherwise, he'll
only get some of the content since the credential is still foo/foo.

While it would be nice to allow the user to roam the site only having
entered a username/password once, the only way I can think of to enable the
above situation would be to delete the credential whenever content filtering
is turned on for a resource, then do a WWW-Authenticate to get a new user/pswd.

Any other ideas?

Regards,

Paul.


Yves Lafon wrote:

> On Wed, 18 Mar 1998, Paul Pazandak wrote:
>
> > Is it possible to generate a username & password dialog (on the client) within a filter as
> > part of an auxiliary authorization mechanism (the same dialog that appears when logging
> > into the Admin pages on the server)? I would like to be able to do this independent of
> > any Jigsaw authorization mechanisms -- e.g. ask a client for a username/password before
> > letting them see a document.
>
> The best way should be to use the Proxy Authentication. It then allow
> users to browse pages with "normal" authentication
> >From the server...
> If the Proxy-Authorization field is not present and do not contain the
> right values, it should return a HTTP.PROXY_AUTH_REQUIRED (407).
> And a Proxy-Authenticate header, (same as WWW-Authenticate field in an
> "unauthorized" answer, see GenericAuthFilter).
>
> > Second, IF the user already provided a username/password (for site access let's say, using
> > Jigsaw auth mechanisms), is there a way for the filter to access this information?
>
> Yes, the Proxy-Authorization field will be there (requested by the
> filter). We use a trick to check the user taken from an AuthFilter in
> w3c.jigsaw.filters.PutListResource (org.w3c.filters.PutListFrame).
> Regards,
>
>       /\          - Yves Lafon - World Wide Web Consortium -
>   /\ /  \                Architecture Domain - Jigsaw
>  /  \    \/\
> /    \   /  \   http://www.w3.org/People/Lafon - ylafon@w3.org

   --

********************************************************************
Paul Pazandak                                      pazandak@objs.com
Object Services and Consulting, Inc.             http://www.objs.com
Minneapolis, Minnesota 55420-5409                       612-881-6498
********************************************************************
Received on Thursday, 19 March 1998 17:57:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 April 2012 12:13:27 GMT