[Osr-101] Re: [Yulup] [PROPOSAL] Login resp. authentication element within introspection

Michael Wechner michael.wechner at wyona.com
Sun May 6 11:28:57 CEST 2007 

Andreas Wuest wrote:

> Hi
>
> On 3.5.2007 11:59 Uhr, Michael Wechner wrote:
>
>> Hi
>>
>> I would like to suggest that we introduce a login resp. 
>> authentication element for introspection, e.g.
>>
>> <introspection>
>>
>> <authentication>
>>    <login url="https://foo.bar/protected.xhtml?action=login-neutron">
>>      <message>Login for realm 'Foo Bar' ...</message>
>>      <form>
>>        <param description="Username" name="username"/>
>>        <param description="Password" name="passwd"/>
>>      </form>
>>    </login>
>>    <logout url="http://foo.bar/?action=logout"/>
>>  </authentication>
>>
>> </introspection>
>>
>>
>> which is the same as  the already defined Neutron Authentication
>>
>> http://neutron.wyona.org/draft-neutron-protocol-v0.html#rfc.section.7.1
>>
>> The reason for this is that one might not want to show versions and 
>> workflows and open/save URLs to the public within the introspection 
>> document but rather user specific (which would be decided by the 
>> server).
>>
>> Of course one could protect the introspection document, but every 
>> time one would request a public page with a protected introspection 
>> document one would receive a login screen which doesn't really make 
>> sense.
>>
>> Another workaround would be to use client certificates, but it's one 
>> more complexity and also client certificates are client specific.
>>
>> This is why I think the authentication element would make sense also 
>> within the introspection.
>>
>> WDYT?
>
>
> Generally, a good idea. Some points to think about:
>
>  * What happens after login? Does the user has to reload the page then 
> in order to get extended introspection data?


btw, I have added the proposal to

http://neutron.wyona.org/amendments/authentication-within-introspection.html

and also added your questions

Cheers

Michi

>  * The resources linked from the introspection data might actually be 
> in a different realm, which requires the user to login again.
>  * This solution ultimately requires the server to generate the 
> introspection data dynamically (at least the part which contains this 
> authentication snippet), because the authentication mechanism might 
> change (e.g. more credentials are required like a PIN, etc.). If the 
> server does not generate that dynamically, all introspection files 
> have to be rewritten.
>


-- 
Michael Wechner
Wyona      -   Open Source Content Management   -    Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner at wyona.com                        michi at apache.org
+41 44 272 91 61

More information about the Osr-101 mailing list