Re: Authorization with WWW-Authenticate (bis) from Thomas Broyer on 2009-11-13 (ietf-http-wg@w3.org from October to December 2009)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Fri, 13 Nov 2009 01:52:49 +0100
To: Sylvain Hellegouarch <sh@defuze.org>
Cc: Henrik Nordstrom <henrik@henriknordstrom.net>, Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
Message-ID: <a9699fd20911121652l57381567yac99b90bd76283e2@mail.gmail.com>

On Thu, Nov 12, 2009 at 8:25 PM, Sylvain Hellegouarch <sh@defuze.org> wrote:
> Thomas Broyer a écrit :
>>
>> On Wed, Nov 11, 2009 at 11:52 PM, Henrik Nordstrom wrote:
>>
>>>
>>> What is unspecified is how the user agent should behave if none of the
>>> provided challenges is understood. It seems to me that most user agents
>>> then fall back on basic auth with unspecified realm which imho is not a
>>> bad thing to do. Both unlikely to be accepted by the server AND exposing
>>> password details in the plain for no good value, better to abort the
>>> request with an error.
>>
>> All user agents I tested just displayed the response entity, except
>> Opera pre-10 which displayed an error page about the auth scheme not
>> being recognized:
>> http://hg.ltgt.net/http-cookie-auth/raw-file/tip/ua-compat.html
>
> Based on the context this scheme would be used (meaning I assume mostly
> along with Ajax), I guess this shouldn't be much of a problem anyway.

http-cookie-auth isn't at all limited to AJAX uses!
See http://hg.ltgt.net/http-cookie-auth/raw-file/tip/research.html

There are many frameworks out there where you settle for an auth
mechanism and it gets applied to each and every resource (URL) in your
app (e.g. ASP.NET, Alfresco's WebScripts framework, etc.)

For instance, we're using a custom scheme very similar to Cookie (it
also allows the credentials to be passed in an Authorization header,
for use with... AJAX! yes, AJAX calls use Authorization and cookies
are only used for non-AJAX requests, in our case, the admin section)
in an Enterprise app (this means admins cannot use Opera pre-10, but
we're only actually targeting IE6 only):
Demo AJAX app: https://ubic.atolcd.com/
Demo "web 1.0" admin interface:
https://ubic.atolcd.com/alfresco/us/ubic/admin/ (the login screen is
returned in a 401 response)
(presentation of the project:
http://storage.pardot.com/47721_Alfresco_Case_Study_EADS_Astrium.pdf
or in French: http://www2.alfresco.com/l/1234/2009-11-02/FLDWF/48971_Alfresco_Case_Study_EADS_Astrium_fr.pdf
)

-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/

Received on Friday, 13 November 2009 00:53:23 UTC