Re: Discuss change http authorization handling to be strategy based

Mon, 15 Nov 2010 15:48:26 -0800 


Am 15.11.2010 21:34, schrieb Daniel Kulp:

Well, I guess here would be my "requirements":

1) "Out of the box", basic auth needs to "just work".  If the user sets the
username and password and nothing is configured in, the basic auth stuff
should automatically turn on preemptively.

2) Streaming - related to (1), when the username/password is set with basic
auth, it  cannot break streaming.

3) If the other auth mechanisms support streaming, we should keep it enabled.
However, some of them don't allow for the streaming.

4) Obviously, if something IS configured in, that should just work as well.
:-)

I did not really understand this one? what do you mean by "configured 
in"? Do you mean the HttpAuthsupplier?
I am not so sure about this construction. It somehow looks strange and I 
have never seen this in use in practice.

We could do it upfront and then only give the conduit one strategy
or we could do it later and give the conduit a strategy that decides for
each case which real stratgy to use.

The streaming requirement kind of removes the second option.   Once we get the
401 back, the streaming is stopped and the original message is gone.   If the
user specifically turns off streaming, OK, we can do something smart.

Dan



I think this does not rule out the second option. After looking into the 
problem a little deeper I even think we can only decide the actual 
authentication mechanism after the construction of the conduit.
The reason is that you can set an auth policy on the message and it 
should override the authpolicy in the config.



So I guess it could work to have a class that decides which strategy to 
use based on the effective authpolicy (config merged with that from the 
message). This class would for example decide to use Spnego with 
preemptive authentication. In this case streaming could still work.



I also have another question. There is the class CxfAuthenticator. In 
this class the Authenticator.setDefault is set. So this also does some 
kind of authentication. Do you know how this works together with the 
rest of the authentication code? I think this could perhaps be old code 
and be redundant now. In any case it only seems to support basic auth 
for server and proxy.


Christian

--
----
http://www.liquid-reality.de























					Reply via email to