Hi Stephan, On Dec 22, 2008, at 3:20 AM, Stephan Koops wrote:
> Ho Rhett, >>>>> but doesn't the current Guard implementation obviate the need for >>>>> both >>>>> sessions and cookies, and yet provide us with basic >>>>> authentication? >>>>> if yes, >>>>> then a solution for providing customizable form-based login >>>>> could be >>>>> to >>>>> extend its capabilities to allow declaring and re-directing to a >>>>> resource >>>>> URI to use when the credentials are missing. >>>>> >>>>> does this make sense? >>>>> >>>> No, that won't work. The reason why basic auth works without >>>> prompting after the first request is that the browser caches the >>>> credentials and repeats the Authorization header with every >>>> subsequent >>>> request. This is possible because basic authentication is part of >>>> the >>>> HTTP spec. There's no form-based equivalent of it. >>>> >>> right. and that's because in form-based authentication what >>> would've been a >>> 401 status code response never makes it to the Browser. yes? >>> >> I suppose that's one way to put it. The key thing is that there's no >> spec for form-based authentication, so there's no browser awareness >> of >> it, so there's no way to get an Authorization header with form-based >> auth. That means the existing Guard implementation can't be >> trivially >> modified to work with forms. > There is a way, but HTML and HTTP is not enough: You need JavaScript > to send a XMLHttpRequest. But you can't use http state 401 for > return, because the browser should prompt (search for "401" on > http://www.w3.org/TR/XMLHttpRequest/) > for the users credentials, and that is, what we don't want. So we > hae to use another HTTP state for it (I've implemented it with the > undefined state 491 some month ago). > But this way requires enabled JavaScript in the users browser and > support for the XMLHttpRequest object. If I understand you correctly, you are suggesting using an XMLHttpRequest in order to send a request with an Authorization header to perform the login. That gets around the problem of using Guard to do the initial authentication, but how do you prevent the user from being prompted on every request? It seems like you'd still need some sort of client-side state and a way to interpret it on the server. Or do I misunderstand what you are suggesting? Do have a writeup of the XMLHttpRequest-based protocol you are using? Thanks, Rhett ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=989934
