Hi Jerome,
One think that could help in the short term for experimenting would be
to be able to override the standard HTTP headers. I'm thinking of
HttpConstants.HEADER_WWW_AUTHENTICATE to be specific, which
HttpConverter.addAdditionalHeaders(...) makes impossible to override.
It's therefore a bit more tricky to try out responding with multiple
WWW-Authenticate headers (Rhett was mentioning this issue in this thread
and in <http://restlet.tigris.org/issues/show_bug.cgi?id=457>).
Could there be some sort of flag to allow headers to be overridden?
Perhaps removing
"param.getName().equalsIgnoreCase(HttpConstants.HEADER_WWW_AUTHENTICATE)"
in the list of tests might be the easiest.
I suppose the only danger would be a maliciously crafted Application
served within a container than doesn't require authentication to get the
a password via HTTP basic for example. (I'm not sure how many people
would run applications they don't trust within a Restlet container at
the moment; this is probably unlikely.)
If this was a problem, perhaps some sort of connector property along the
lines of ALLOW_OVERRIDE_HTTP_HEADERS, defaulting to false, would work I
guess.
Best wishes,
Bruno.
Jerome Louvel wrote:
Hi Bruno,
That sounds good, that for continuing the thinking. For SPNEGO, feel free to
post comments on the RFE:
"Support SPNEGO authentication"
http://restlet.tigris.org/issues/show_bug.cgi?id=444
Best regards,
Jerome
