[Osr-101] Re: [Yulup] [PROPOSAL] Login resp. authentication element within introspection

Michael Wechner michael.wechner at wyona.com
Thu May 3 22:31:31 CEST 2007 

Andreas Wuest wrote:

> Hi
>
> On 3.5.2007 11:59 Uhr, Michael Wechner wrote:
>
>> Hi
>>
>> I would like to suggest that we introduce a login resp. 
>> authentication element for introspection, e.g.
>>
>> <introspection>
>>
>> <authentication>
>>    <login url="https://foo.bar/protected.xhtml?action=login-neutron">
>>      <message>Login for realm 'Foo Bar' ...</message>
>>      <form>
>>        <param description="Username" name="username"/>
>>        <param description="Password" name="passwd"/>
>>      </form>
>>    </login>
>>    <logout url="http://foo.bar/?action=logout"/>
>>  </authentication>
>>
>> </introspection>
>>
>>
>> which is the same as  the already defined Neutron Authentication
>>
>> http://neutron.wyona.org/draft-neutron-protocol-v0.html#rfc.section.7.1
>>
>> The reason for this is that one might not want to show versions and 
>> workflows and open/save URLs to the public within the introspection 
>> document but rather user specific (which would be decided by the 
>> server).
>>
>> Of course one could protect the introspection document, but every 
>> time one would request a public page with a protected introspection 
>> document one would receive a login screen which doesn't really make 
>> sense.
>>
>> Another workaround would be to use client certificates, but it's one 
>> more complexity and also client certificates are client specific.
>>
>> This is why I think the authentication element would make sense also 
>> within the introspection.
>>
>> WDYT?
>
>
> Generally, a good idea. Some points to think about:
>
>  * What happens after login? Does the user has to reload the page then 
> in order to get extended introspection data?

well, I would expect the client to reload the introspection, but agreed 
the actual authentication has nothing to do with the  introspection, but 
OTOH the Yulup menu needs to be refreshed in order to show that one has 
been authenticated and hence I would expect a reload, but that is 
probably Yulup specific.

>  * The resources linked from the introspection data might actually be 
> in a different realm, which requires the user to login again.


I guess we cannot do much about something like this if the server 
implementation is done like this.

>  * This solution ultimately requires the server to generate the 
> introspection data dynamically (at least the part which contains this 
> authentication snippet), because the authentication mechanism might 
> change (e.g. more credentials are required like a PIN, etc.). If the 
> server does not generate that dynamically, all introspection files 
> have to be rewritten.


yes, but I would assume that this is the case, I mean that the 
introspection is being generated dynamically in such a case.

Cheers

Michi


-- 
Michael Wechner
Wyona      -   Open Source Content Management   -    Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner at wyona.com                        michi at apache.org
+41 44 272 91 61

More information about the Osr-101 mailing list