jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Jackrabbit Wiki] Update of "frm/HttpOperations" by frm
Date Tue, 03 Feb 2015 14:46:42 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jackrabbit Wiki" for change notification.

The "frm/HttpOperations" page has been changed by frm:
https://wiki.apache.org/jackrabbit/frm/HttpOperations?action=diff&rev1=2&rev2=3

  
  === Impersonation ===
  
- The impersonation authentication is a variant on the basic authenticatino already defined
by RFC2617. The differences are the following:
+ The impersonation authentication uses an authentication scheme of `Impersonate`. The client
must include one or more tokens that represents the principals of the target subject to impersonate.
In example, an impersonation request sent by a client may contain the following header:
  
-  * the authentication scheme to be used is `Impersonation` instead of `Basic`.
+ {{{
+ Authorization: Impersonate bob,authors,reviewers
+ }}}
  
-  * the client must include an authentication parameter named `impersonate` containing the
name of a user.
+ to force the current request to be evaluated as the current subject is correctly logged
in the repository and is an aggregation of the principals "bob", "authors" and "reviewers".
  
- Please note that, like in the basic authentication, the client still has to provide a user
name and password encoded in Base64 and the realm where authentication should be performed
in.
+ If this authentication method is chosen, the server will skip authentication completely.
The server will assume that another part of the application is responsible for authentication,
and will limit itself to evaluate the request according to the privileges granted to the impersonated
user.
  
+ This authentication method is particularly risky, and it is meant to be used only if there
is a high degree of confidentiality between the server and the client. In example, a server
may want to provide this kind of authentication scheme as a challenge to a client only in
case of a secure, encrypted connection or only if the client is part of a whitelist.
- If this authentication strategy is chosen, the server executes the following actions:
- 
-  * the server performs a repository login using the user name and password provided by the
client in the `Authorization` header.
- 
-  * if the login succeeds, the server reads the user name in the `impersonate` authentication
parameter and performs an impersonation using this user name. The rest of the request will
be evaluated using the impersonated session.
  
  == Read a revision ==
  

Mime
View raw message