Walden, See below, please.
On Wed, Nov 19, 2008 at 2:29 PM, walden <[EMAIL PROTECTED]> wrote: > > Olivier, > > I'm still a little perplexed, see below. > >> >> * session expiration, because the GWT RPC will fail soon (401). >> >> * forbiden because the GWT RPC will fail soon (403). >> >> When session is expired, the RPC will fail soon with a 401 (Auth >> required status), before GWT 1.5 it was not (easily ) possible to >> detect such failure. But session expiration is not an issue for HTTP >> basic.>> * activation of widget when authority is granted. > > Originally, I thought your points were against HTTP auth, but now it > looks like they were for it? > I'm not talking of HTTP Basic Scheme where AFAIK there is no expiration. I'm talking of Session Base mecanism like Acegi or Form Based authentication. What I was (trying) to explain is that when relying on a previous authentication, then the GWT application is in fact unaware of being under a restricted access. That might be a good (as it simple). But when an error (security errors Auth Required (401) when session has expired , a forbidden access (403)) occurs on a GWT-RPC call the GWT application has to handle this error (much simpler under GWT >= 1.5). So the GWT application has to handle some security concern (Auth required && Forbidden). > >> >> About widget activation && authorization, I my proposal the widget are >> aware of the authentication events so they can activate/desactivate >> when login/logout occurs. > > This doesn't come up for me. I secure my site in such a way that you > don't get any widgets until you're authenticated and authorized. I > thought you were referring to a more fine grained authorization scheme > where certain widgets appear only for certain users. I do ! Some GWT element may be notified for the authentication event (granted authorities) and then they can do what they want ... >That sort of > entitlement management goes beyond authorization, and the point I was > making was that it seems somewhat orthogonal to what protocol you use > for auth. Definitively ! > > Walden Regards Olivier. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
