Re: security requirements

sön 2006-10-22 klockan 06:35 -0700 skrev David Morris:

> applications, I don't find a need for improved support. Any
> developer who isn't satisified with the simplistic nature of the
> web browser dialog has the freedom to prompt for credentials using
> an https: based web page.

What this discussion aims at is allowing the developer the exact same
freedom, but without throwing out the HTTP authentication support. In a
properly layered system authentication is a task of the web server, not
application. The application should only need to deal with
authorization.

Due to the lack of freedom and certain functionality currently
application designers are forced to venture into authentication.

>  Serious applications need better underlying
> facilities for session authention and management than provided by the
> likes of .htaccess, etc.

.htaccess is one of many ways a web server can be configured for
authentication. The thing here is that HTTP has a very powerful
authentication subsystem, but is today frequently ignored with each
application designer inventing their own plain-text (plus transport
encryption if lucky) scheme based on cookies to keep track of the user.

forms based authentication is all fine in the cases where authentication
is and must be all owned by the application, especially so if the
application acts as a proxy to other backend services.

but it's often not the case it you take a second breath and look at the
problem again. More often the application is doing authentication just
because it has to to meet the demands of designers (and users), and
would in fact benefit from being able to integrate cleanly with existing
authentication frameworks, and the web server is the natural place for
such integration. It's also the natural place for extending the
framework with new authentication schemes providing stronger protection
of users passwords and abilities to single-sign-on etc (very important
in intranet applications).

Regards
Henrik