On 26/06/2009 1:02 AM, Jan Lehnardt wrote:
A an example authentication client request
| client | ---> | http request with credentials | ---> |
authentication handler | ---> | lookup in authentication handler
specific view in `users` database | ---> | grant or deny access, set
role |
If you intend support Windows NTLM authentication, there are a couple of
things that may, or may not, complicate this:
* NTLM is based on a series of 'challenge/response' pairs; the client
issues a request, the server responds with a 404 and a 'token' in the
headers, the client re-requests with a token based on the server's
token, the server responds yet again with 404 and a new token, then
finally the client's next request works.
* NTLM is connection-based. Once the connection is closed you must
re-do that dance. It is not possible to persist anything beyond the
life of the connection which you can use on a subsequent connection.
Therefore, the dance described about must also be performed on the same
connection.
Hoping this is relevant,
Mark
