Re: delegated authentication

> I understand you to be saying above that you are thinking of the secretary robot
> connecting to some server  (say on IBM.com),  and then make a request on that resource
> but somehow adding a ?id=webid to the url it was going to request? How would it know
> that that resource understood the same thing that you thought you meant when adding
> ?id=webid to the resource? There may not even be a resource there. (those are 2 different
> URLs)
>
> That does not seem very RESTful. It would require 2 requests on the resource:
> one where you get the version without the ?id=webid fields, and it returns some information
> telling you how you can GET a version for the secretary namely in your case by
> adding a ?id=webid field (perhaps it returns a semantically annotated form).

Yes, you are right. I feared that using an extra HTTP header option 
would require support from the webserver, but I was wrong. Indeed, 
specifying the identity of the real person in the header would be the 
best solution.

Andrei

Received on Saturday, 23 June 2012 09:55:38 UTC