On Thu, 14 Oct 2004, Diego Woitasen wrote:
somebody knows about any standard or implementation of SASL and HTTP?
None that I know of. Only Basic and Digest authentication have been standardised, and Microsoft have published a draft on how their Negotiate (and NTLM) authentication protocol leaches ontop of HTTP masquerading themselves looking alsmost like HTTP authentication mechanisms.
SASL fits rather badly with HTTP as SASL is quite session oriented with a relatively heavy session setup negotiation while HTTP is sessionless (much of the same problems as seen by Microsoft Negotiate & NTLM). But I suppose it might be possible to design a session aware authentication model like the one used by Digest to support SASL in a sane manner. But without support from the browser vendors it is somewhat pointless.
Regards Henrik
