cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From giac...@apache.org
Subject RE: Release early? (was: Roadmap Executive Plan)
Date Tue, 12 Mar 2002 12:00:51 GMT
Quoting Carsten Ziegeler <cziegeler@s-und-n.de>:

> > Sylvain Wallez wrote:
> > <snip>
> > >
> > >>A question about sunRise : is it possible to use standard HTTP
> > >>authentication and authorization ? AFAICS, it seems to be very tied
> to
> > >>form-based and application-managed authentication.
> > >>
> > >
> > >You can use any information you can reach from within the Java code.
> > >I'm not sure if there is a change to get the HTTP authentication
> infos.
> > >If yes, you can use sunRise.
> > >
> > The problem comes from the login page. With HTTP authentication, you
> > don't have a dedicated login page, and thus cannot use this one to
> > handle authentication. Or did I miss something ?
> >
> 
> Hm, correct me if I'm wrong as we never used HTTP authentication with
> sunRise.
> If a user requests a URI from the web server which is protected, the web
> server
> (or the browser) prompts for the authentication information. 

Yes. This is true for all kinds of authentication types (BASIC-AUTH as well as
SSL client certs).

> Only if the
> user is authenticated this request is forwarded to the servlet engine.
                        ^ by the web server 

> Is this correct?

Yes.

> If this is so, the servlet engine can - without using a form - use the
> sunRise-login
> action, get the information from the web server (if possible) and log
> the
> user
> into sunRise.

Yes, without redirecting it to a login page (in any case). In the case the
Action thinks a user is not authorized it has to tell it back to the web server
by using the corresponding HTTP response code (5xx IIRC).

The authenticating server and the application share a common user base (the web
server for authentication and the application for authorisation). 

> Does this make sense?

I think so.

Giacomo

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message