Ok, probably this is not the best list to post this issue. In fact, investigating a little, I think google and yahoo implements some kerberos-like protocol.
They allow you to authenticate your application (service) against google or yahoo (authentication server). This concepts are common with Kerberos. I posted this issue here because I think every AJAX library needs this and I'm learning the AJAX library called "qooxdoo" ;-) BTW in my investigation seems that also Alfresco is using this model and looking at the Alfresco wiki it seems to be called "User Token Authentication". In brief: an information is joined with a timestamp and hash encrypted. Security is based on simmetric key (a password) that should be known by both actors. HTTPS is used only to exchange this secret at the beginning of the communication. Subsequent accesses to servives needs only a valid signature. But communication con be in HTTP if ones does not need to obfuscate informations in transit. Regards, Mar ps: last animation features are such a great features!!! On Feb 5, 2008 9:40 PM, Helder Magalhães <[EMAIL PROTECTED]> wrote: > > > Marco LOMBARDO wrote: > > > > If I use RPC I should protect some of the implemented services with > > authentication. > > With statefull backend I can store authentication information into > > sessions. > > With a pure web services stateless implementation I can use HTTPS + > > username + password in every request. > > > You may also have an hybrid implementation: use HTTP for stateless > authentication and the session information for other interesting data. > > > > Marco LOMBARDO wrote: > > > > My questions: > > 1. Do you have some links to some reference documents about ticket > > authorization? > > 2. Is it possible with qooxdoo? Some tips? > > 3. If it's not possible, what is missing in qooxdoo? > > > 1. Unfortunately not. IMHO HTTP(S)-based authentication has some advantages: > although it introduces small overhead in every request, it's ubiquitous and > stateless. > 2. I have never tried it. I guess qooxdoo backend (server) doesn't contain > session/cookie-based authentication mechanisms (please correct me if I'm > wrong). On the other hand, if one manages to implement such a mechanism, it > may then use "serverData" [1] property in frontend (client) code to pass the > authorization string back and forth. This is just a possible implementation, > not a (known) recommendation... > 3. Rather than missing, this seems a potential opportunity to contribute > with such a mechanism to the framework (if it's not already there)! :-) > > Keep in mind that qooxdoo RPC classes already support explicit HTTP-based > authentication, if you're not already using them (implicitly). For example, > your static server files can be in a unauthenticated area, while the RPC > server URL itself is password-protected: in this case, you'll use explicit > authentication (username/password properties set in RPC classes). If the RPC > server is «inside» the password protected area, the browser will eventually > prompt the user to access static files and deal with all the authentication: > nevertheless, this may pose a problem which is the inability to easily end > an HTTP authenticated session (except by closing all browser windows, of > course). But this leads to a much wider debate! > > Regards, > > Helder Magalhães > > [1] http://demo.qooxdoo.org/current/apiviewer/#qx.io.remote.Rpc~serverData > -- > View this message in context: > http://www.nabble.com/Authentication-in-qooxdoo--tp15248954p15299064.html > Sent from the qooxdoo-devel mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > qooxdoo-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel > -- Harmony is action without effort. (Plato) ---------------------------------------------------------------------- Skype: mar9000, Compilo subAdministrator (compilo.sf.net), ArgoUML Observer (argouml.tigris.org), qooxdoo fan (http://qooxdoo.oss.schlund.de/), LinuxUser #364892 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ qooxdoo-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
