cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: Release early? (was: Roadmap Executive Plan)
Date Tue, 12 Mar 2002 12:00:51 GMT
Quoting Carsten Ziegeler <>:

> > Sylvain Wallez wrote:
> > <snip>
> > >
> > >>A question about sunRise : is it possible to use standard HTTP
> > >>authentication and authorization ? AFAICS, it seems to be very tied
> to
> > >>form-based and application-managed authentication.
> > >>
> > >
> > >You can use any information you can reach from within the Java code.
> > >I'm not sure if there is a change to get the HTTP authentication
> infos.
> > >If yes, you can use sunRise.
> > >
> > The problem comes from the login page. With HTTP authentication, you
> > don't have a dedicated login page, and thus cannot use this one to
> > handle authentication. Or did I miss something ?
> >
> Hm, correct me if I'm wrong as we never used HTTP authentication with
> sunRise.
> If a user requests a URI from the web server which is protected, the web
> server
> (or the browser) prompts for the authentication information. 

Yes. This is true for all kinds of authentication types (BASIC-AUTH as well as
SSL client certs).

> Only if the
> user is authenticated this request is forwarded to the servlet engine.
                        ^ by the web server 

> Is this correct?


> If this is so, the servlet engine can - without using a form - use the
> sunRise-login
> action, get the information from the web server (if possible) and log
> the
> user
> into sunRise.

Yes, without redirecting it to a login page (in any case). In the case the
Action thinks a user is not authorized it has to tell it back to the web server
by using the corresponding HTTP response code (5xx IIRC).

The authenticating server and the application share a common user base (the web
server for authentication and the application for authorisation). 

> Does this make sense?

I think so.


To unsubscribe, e-mail:
For additional commands, email:

View raw message