Eduard Moraru wrote: > Vincent Massol wrote: >> On Dec 19, 2008, at 6:27 PM, Fabio Mancinelli wrote: >> >> >>> Vincent Massol wrote: >>> >>> >>>> Does this mean I cannot open my browser and call the REST URL without >>>> specifying a user? >>>> >>>> >>> It should open up the authentication dialog where you type your >>> username >>> and password (or guest) the first time you request a resource. >>> >> Is that right? It sounds cumbersome and bad for easy automation when >> you want guest access. >> >> Cannot we default to guest when no username/account is specified? >> >> Thanks >> -Vincent >> > +1 > > I think it would be easier and more natural to have the default to guest > or anonymous user. > When an anonymous user tries to access restricted content -> 403 > If he wants to log-in, he just does: > http://user:[email protected]/space/X/page/Y
+1 for URL authentication. This is something needed (for command line clients that don't speak BASIC auth), although it is not safe at all. Still, it has the same safety level as BASIC auth, so it is no less safe than other authentication methods (given that by default our login sends plaintext values over HTTP). > We should mimic the basic auth and skip the pop`ul window that requires > user/pass in the browser. > > That is: Imply that the current user is exactly who he says he is and do > not assume he could be a user with rights to a resource until he > explicitly says so. -1. Although URL authentication should not create any persistent authentication, we need something persistent (using cookies). -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
