[Yanel-dev] Authentication successful but authorization denied

Andreas Wuest awuest at student.ethz.ch
Fri Jan 5 17:49:54 CET 2007 

Hi

There is an unpleasant corner case where a user likes to access a page, 
is then prompted to authenticate itself, authentication succeeds, but 
the access subsequently fails because the user, although authenticated 
correctly, does not have the proper access rights.

I don't know how we could improve this behaviour user-interface wise.

One possibility would be, since the client sends the cookie from which 
Yanel can recognise that the user is already authenticated, that Yanel 
sends a different exception in step 6.

This has the downside that a user may have multiple accounts, one which 
indeed has the rights to access that document, but is currently logged 
in as a different user. When not offering the user the possibility to 
authenticate in step 6, he then couldn't change the account.

Below is a sample conversation of such a case (unimportant headers 
removed for clarity).


Step 1. Yulup (initial request for document):

GET 
http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout 
HTTP/1.1
Host: yanel.wyona.org
Neutron: 1.0-dev
WWW-Authenticate: Neutron-Auth


Step 2. Yanel (user is unauthorized, Yanel offers to authenticate):

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NEUTRON-AUTH
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 898
Set-Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2; Path=/

<?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0" 
type="authorization"><message>Authorization denied: 
http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&amp;yanel.usecase=neutron-auth" 
method="POST"><form><message>Enter username and password for "Yanel 
Website" at "/yanel-website/"</message><param description="Username" 
name="username"/><param description="Password" 
name="password"/></form></login><logout 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&amp;yanel.usecase=logout" 
realm="Yanel Website"/></authentication></exception>


Step 3. Yulup (sends user credentials):

POST 
http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth 
HTTP/1.1
Host: yanel.wyona.org:80
Content-Type: text/xml; charset=UTF-8
Neutron: 1.0-dev
WWW-Authenticate: Neutron-Auth
Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2

<?xml version="1.0"?>
<authentication xmlns="http://www.wyona.org/neutron/1.0">
   <param name="username">lenya</param>
   <param name="password">levi</param>
   <original-request 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/>
</authentication>


Step 4. Yanel (authorization succeeded):

HTTP/1.1 200 OK
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 34

Neutron Authentication Successful!


Step 5. Yulup (reissues the original request):

GET 
http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout 
HTTP/1.1
Host: yanel.wyona.org
Neutron: 1.0-dev
WWW-Authenticate: Neutron-Auth
Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2


Step 6. Yanel (user is unauthorzed, offes to authenticate):

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NEUTRON-AUTH
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 898

<?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0" 
type="authorization"><message>Authorization denied: 
http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&amp;yanel.usecase=neutron-auth" 
method="POST"><form><message>Enter username and password for "Yanel 
Website" at "/yanel-website/"</message><param description="Username" 
name="username"/><param description="Password" 
name="password"/></form></login><logout 
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&amp;yanel.usecase=logout" 
realm="Yanel Website"/></authentication></exception>

-- 
Kind regards,
Andi

More information about the Yanel-development mailing list