W3C home > Mailing lists > Public > xproc-dev@w3.org > February 2009

[closed] Re: p:http-request's send-authorization use case?

From: Norman Walsh <ndw@nwalsh.com>
Date: Thu, 05 Feb 2009 08:31:00 -0500
To: XProc Dev <xproc-dev@w3.org>
Message-ID: <m2ljsl6mej.fsf@nwalsh.com>
Florent Georges <fgeorges@fgeorges.org> writes:
>   In p:http-request, what's the intent of send-authorization?  I
> understand what the processor is supposed to do, but I would like
> to know why it is helpful.

If you know that you're using Basic authentication, then you can send
the credentials first and avoid the "got a 401, retry with
credentials" round trip.

> Why not always send credentials on
> the first request, when specified?  I guess this is related to
> security, to not send credentials without the user explicitly
> requesting so?

Credentials that you send on the first attempt are effectively clear
text. (They're hashed, but I think it's reversible.) So you don't
want to do that without the author explicitly requesting it.

It's also pointless if you're using Digest authentication since you
can't construct the correct credentials before the server sends you a
nonce.

Please let us know if this explanation is unsatisfactory.

>   BTW, the recent comments I raised about this step is because I
> got inspired from it to design an equivalent feature for XSLT.  I
> thought it would be helpful to have same names for attributes,
> etc.  You can see it at:
>
>     http://www.fgeorges.org/xslt/exslt2/http-client.html
>
> and discussions at: http://lists.fourthought.com/pipermail/exslt/.

Cool.

                                        Be seeing you,
                                          norm

-- 
Norman Walsh <ndw@nwalsh.com> | All our foes are mortal.--Paul Valéry
http://nwalsh.com/            | 

Received on Thursday, 5 February 2009 13:31:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 5 February 2009 13:31:46 GMT