Hi,
In article <[EMAIL PROTECTED]>,
Fri, 27 Feb 2004 13:07:37 +0100,
Christopher Lenz <[EMAIL PROTECTED]> wrote:
cmlenz> Possibly stupid question: why don't we just check for any status code <
cmlenz> 400?
I think this is enough for most of Cactus users.
For your information, followings are what I thought about
the FormAuthentication.
1. I want stop the authentication sequence and inform what's (maybe)
wrong to tester when the sequence seems goes wrong.
So, I determined to check response for each authentication step
and throw Exception if the response is not something expected.
2. At the pre-auth step, the resource set by setRedirectorName(String) may be
a) xxxRedirector and is secured:
[This case is normal.]
302 (or server depending) stats code will be returned.
b) xxxRedirector, but is not secured:
[In this case, the server should be re-configured.
or the test-case should be debugged]
500 status code will be returned.
c) not xxxRedirector but is existing secured resource:
[In this case, the test-case should be debugged.]
302 (or server depending) status code will be returned.
At this point, the sequence goes wrong, however, I cannot imagine
how to know that in the program logic.
d) not xxxRedirector but an existing un-secured resource:
[In this case, the test-case should be debugged.]
2xx status code will be returned.
The existence of the set-cookie header field is server dependent.
If the cookie is find, unexpected authentication sequence
can be proceeded (but I wanted stop it if possible).
To detect this case, I didn't use logic like if (theCode < 300),
however, the program logic not work as I want for server
which returns 2xx.
e) not existing resource:
[In this case, the test-case should be debugged, also.]
4xx status code will be returned.
3. At the auth step, the status code is also server dependent.
Server may try to return resource requested in the pre-auth step
whenever the authentication is succeeded.
Hopefully, no such server is existing, however, if server try to do so,
the response may have status code of 500 for cactus tests because
no query string is passed to the xxxRedirector at that time.
Moreover, if the security_check url set by
FormAuthentication#setSecurityCheckURL(URL) is possibly wrong,
how could I judge from the status codes? I'v never find the answer.
4. After all, I found that it's too difficult for me to determin expected
response status codes.
Then, I determined that the value should be set by one who knows it.
5. Even if the status code is that of expected, however,
that is not means the authentication sequence is successfully proceedeing.
For example, 302 status code at auth step may means
"authentication faild (try again)".
So, more complex logic is required to realize what I wanted to do
at the first time.
However, I thought, such logic gives no valuable means for Cactus.
I think there are some other better ways to track the sequence
than this status code based apploach.
Regards,
----
Kazuhito SUGURI
E-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
