couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <robert.new...@gmail.com>
Subject Re: redirection on authentification
Date Tue, 07 Dec 2010 10:28:16 GMT
We do this on purpose (to prevent browsers prompting for credentials
in a dialog box) but you can include a custom request header to get
the WWW-Authenticate response header.

If you add a header called X-CouchDB-WWW-Authenticate then the value
of that header is returned, verbatim, in WWW-Authenticate if
authentication fails.

B.

On Tue, Dec 7, 2010 at 10:19 AM, Benoit Chesneau <bchesneau@gmail.com> wrote:
> Hi all,
>
> I'm experimenting problem with the current method used when
> authentification fail. If you pass worng authentificatino headre you
> are redirected to an html page asking for credention. So technically
> we do :
>
> 401 -> 302 -> 200
>
> Which is wrong if we follow the spec. "The response MUST include a
> WWW-Authenticate header field [..] [1] . It also introduce some bugs,
> try for example to create a database when not logged.
>
> The reason we use a 302 actually is for couchapps. I think we should
> change that behavior:
>
> 1. Provide appropriate HTTP response by default
> 2. Use the tricks of cookie auth (specific header) to let the
> CouchApps access to CouchDB. Something like "X-Auth-..." headre in the
> request that notify us we need to  send a response that will not
> raises the dialog box in browsers.
>
> Thoughts ?
>
> [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2
>
>
> - benoît
>

Mime
View raw message