[Osr-101] Re: [Yulup] [PROPOSAL] Login resp. authentication element within introspection

Andreas Wuest andreas.wuest at wyona.com
Thu May 3 14:07:03 CEST 2007 

Hi

On 3.5.2007 11:59 Uhr, Michael Wechner wrote:

> Hi
> 
> I would like to suggest that we introduce a login resp. authentication 
> element for introspection, e.g.
> 
> <introspection>
> 
> <authentication>
>    <login url="https://foo.bar/protected.xhtml?action=login-neutron">
>      <message>Login for realm 'Foo Bar' ...</message>
>      <form>
>        <param description="Username" name="username"/>
>        <param description="Password" name="passwd"/>
>      </form>
>    </login>
>    <logout url="http://foo.bar/?action=logout"/>
>  </authentication>
> 
> </introspection>
> 
> 
> which is the same as  the already defined Neutron Authentication
> 
> http://neutron.wyona.org/draft-neutron-protocol-v0.html#rfc.section.7.1
> 
> The reason for this is that one might not want to show versions and 
> workflows and open/save URLs to the public within the introspection 
> document but rather user specific (which would be decided by the server).
> 
> Of course one could protect the introspection document, but every time 
> one would request a public page with a protected introspection document 
> one would receive a login screen which doesn't really make sense.
> 
> Another workaround would be to use client certificates, but it's one 
> more complexity and also client certificates are client specific.
> 
> This is why I think the authentication element would make sense also 
> within the introspection.
> 
> WDYT?

Generally, a good idea. Some points to think about:

  * What happens after login? Does the user has to reload the page then 
in order to get extended introspection data?
  * The resources linked from the introspection data might actually be 
in a different realm, which requires the user to login again.
  * This solution ultimately requires the server to generate the 
introspection data dynamically (at least the part which contains this 
authentication snippet), because the authentication mechanism might 
change (e.g. more credentials are required like a PIN, etc.). If the 
server does not generate that dynamically, all introspection files have 
to be rewritten.

-- 
Kind regards,
Andi

More information about the Osr-101 mailing list