cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Piroumian, Konstantin" <KPiroum...@flagship.ru>
Subject Re: Release early? (was: Roadmap Executive Plan)
Date Tue, 12 Mar 2002 12:48:22 GMT
> Quoting Carsten Ziegeler <cziegeler@s-und-n.de>:
>
> > > Sylvain Wallez wrote:
> > > <snip>
> > > >
> > > >>A question about sunRise : is it possible to use standard HTTP
> > > >>authentication and authorization ? AFAICS, it seems to be very tied
> > to
> > > >>form-based and application-managed authentication.
> > > >>
> > > >
> > > >You can use any information you can reach from within the Java code.
> > > >I'm not sure if there is a change to get the HTTP authentication
> > infos.
> > > >If yes, you can use sunRise.
> > > >
> > > The problem comes from the login page. With HTTP authentication, you
> > > don't have a dedicated login page, and thus cannot use this one to
> > > handle authentication. Or did I miss something ?
> > >
> >
> > Hm, correct me if I'm wrong as we never used HTTP authentication with
> > sunRise.
> > If a user requests a URI from the web server which is protected, the web
> > server
> > (or the browser) prompts for the authentication information.
>
> Yes. This is true for all kinds of authentication types (BASIC-AUTH as
well as
> SSL client certs).
>
> > Only if the
> > user is authenticated this request is forwarded to the servlet engine.
>                         ^ by the web server

And the web server can be the same as the servlet engine.

>
> > Is this correct?
>
> Yes.
>
> > If this is so, the servlet engine can - without using a form - use the
> > sunRise-login
> > action, get the information from the web server (if possible) and log
> > the
> > user
> > into sunRise.
>
> Yes, without redirecting it to a login page (in any case). In the case the
> Action thinks a user is not authorized it has to tell it back to the web
server
> by using the corresponding HTTP response code (5xx IIRC).

SC_UNAUTHORIZED
public static final int SC_UNAUTHORIZED
Status code (401) indicating that the request requires HTTP authentication.

Regards,
    Konstantin

>
> The authenticating server and the application share a common user base
(the web
> server for authentication and the application for authorisation).
>
> > Does this make sense?
>
> I think so.
>
> Giacomo
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email: cocoon-dev-help@xml.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message