>The idea is that when a server encountered an access control situation, it
>would download the Kerberos applet and cause it to be run. The applet would
>get a ticket and return it to the server. The good news is that this
>mechanism would only be used/triggered when the user tried to retrieve an
>access controlled page, and the amount of additional code added to each
>client would be minimized.
>[...]
>What else is wrong with this idea?
How do you match up the returned ticket with the web request? As I see
it, the Java applet will get a service ticket, send it to the web server
who will verify it ... but then what? Assuming you're going to then make
some more http calls, there doesn't seem to be a good way of matching
up that authentication with a valid request (you might be able to have
the client keep the connection open with some of the newer http stuff,
I suppose, but I have to confess that I don't know a lot about that).
--Ken
