> From: Daniel Fagerstrom [mailto:[EMAIL PROTECTED]] > > Greg Weinger wrote:
<snip/> > > > Browsers know about the HTTP authentication protocol, and if you use > > that, > > > they will send you username and password automatically. > > > > Where do you retrieve them? AFAIK they're not available in the Servlet > > API. > > You can use getAuthType(), getRemoteUser(), getUserPrincipal(), > and isUserInRole(java.lang.String role) in the HttpServletRequest interface. > Password is however not availible as all the above methods rely on that > the servlet container takes care of user authentication. > > > Anyway, graphic designers loathe the HTTP authentication protocol. Your > > only choice of input form is that gray box that pops-up (maybe not in > > mozilla XUL, but the world isn't there yet). In most cases, you'll be > > wanting to use HTTP forms. > > Yes it is disturbing that one have to choose between design and security > level: Form based login is ok if you use HTTPS or if you don't think (or > care if) someone taping your wire. HTTP digest authentication gives you > much higher security level of security against wire tapping if you don't > want to use HTTPS, but in this case you will get gray box pop-ups in the > browser :( > > > The main problem, I think, is that HTTP requests on their own do not > > have the concept a user built into it, which is necessary to perform > > user-based access control. > > They have, see (ftp://ftp.isi.edu/in-notes/rfc2617.txt), for all the > technical details ;). But it depends on that the browser takes care of > the protocol, which leads to: gray box pop-ups. As you mentioned before: form-based login. IIRC, servlet spec describes it in details. Only thing Cocoon needs is may be an action to establish user credentials in the servlet container once this form is submitted. > > That information has to be established programmatically. My thought > > was, what if we built that concept into Cocoon? It is built in into servlet spec. See answer from Greg Weinger (above). > Yes, then I think that one either have to suport rfc2617 in Cocoon, which > seem tricky, or use session based security, (IIRC there already are som > actions in Cocoon that takes care of that). Implementing own support for > passing credentials back and forth for each request, seem to complicated > to me. And already done by *any* servlet engine. Vadim --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
