Hi Bruno, This looks like a killer post :-) I've added a comment about it in the RFE and will come back to it later (too busy to thoroughly read and comment it now).
Best regards, Jerome -----Message d'origine----- De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot Envoyé : mardi 10 juin 2008 10:45 À : [email protected] Objet : Re: Guards and authentication mechanisms Hi, Perhaps this can help, I've made a (long) list of authentication mechanisms (about as many as I could find and I've tried most): http://blog.distributedmatter.net/post/2008/06/09/HTTP-authentication-mechan isms-and-how-they-could-work-in-Restlet I was looking into which authentication information could be obtained from the server (in the sense of what can then be used for making an authorisation decision). Best wishes, Bruno. Jerome Louvel wrote: > Hi Bruno, > > That sounds good, that for continuing the thinking. For SPNEGO, feel free to > post comments on the RFE: > > "Support SPNEGO authentication" > http://restlet.tigris.org/issues/show_bug.cgi?id=444 > > Best regards, > Jerome > > > -----Message d'origine----- > De : news [mailto:[EMAIL PROTECTED] De la part de Bruno Harbulot > Envoyé : dimanche 1 juin 2008 23:50 > À : [email protected] > Objet : Re: Guards and authentication mechanisms > > Hi all, > > Jerome Louvel wrote: >> Hi all, >> >> Thanks Bruno for the nice synthesis, that definitely helps moving forward. > I >> have entered a new RFE to consolidate your comments and other ones from >> Stephan: >> >> "Refactor authentication and authorization" >> http://restlet.tigris.org/issues/show_bug.cgi?id=505 >> >> Stephan, I agree that this will take some time to properly refactor and > take >> all aspects into account. I've listed 13 (!) related issues that I added > in >> the "blocks" field. >> >> I don't think it would be wise to rush changes into 1.1 so I have set the >> milestone to 1.2 M1. > > Yes, I agree, no rush. Those of us who actually need such Guards in > practice can more or less implement them in 1.1 as plain Filters or > subclasses of Guard. > I'll try to think of more esoteric authnz mechanisms (for example > Shibboleth, which we use in parts of the project I work on). > I've actually just had a rather successful go at implementing a SPNEGO > Filter using the JAAS/GSS mechanism of Java 6, based on Kerberos. It's > just a proof of concept and the code isn't very clean (I've cut a few > corners when implementing my own ChallengeScheme and > AuthenticationHelper), but it seems to work. (At least to test, being > able to write the 'WWW-Authenticate' headers directly or at having > something a bit simpler than AuthenticationHelper.formatParameters(...) > would have made it a bit easier.) > I can't guarantee if and how much time I can spend on this, but I'll try > to give more details sometime soon. > > > Best wishes, > > Bruno. > >
