We're currently implementing authentication for private Atom feeds (https+HTTP Basic auth) in our blogging platform. One thing we're doing is a little edgy but appears to work; I'd like to get feedback on whether people think this will break anything.
If someone attempts to retrieve a feed using an unprotected protocol (http://example.org/atom.xml) and the feed is private, we first issue a 301 Permanent Redirect response to the requestor, sending them to,.e.g, https://example.org.atom.xml. The server then issues an HTTP Basic auth challenge if required, and proceeds as normal. We do the same thing for our APP implementation, though hopefully people will be using the correct https: URLs in the first place for those (obtained via introspection).
Anybody see potential problems with this approach? It seems to work okay in the clients we've tested so far.
Thanks,
--
System Architect
http://abstractioneer.org
