[Yanel-dev] Authentication successful but authorization denied
Andreas Wuest
awuest at student.ethz.ch
Fri Jan 5 17:49:54 CET 2007
Hi
There is an unpleasant corner case where a user likes to access a page,
is then prompted to authenticate itself, authentication succeeds, but
the access subsequently fails because the user, although authenticated
correctly, does not have the proper access rights.
I don't know how we could improve this behaviour user-interface wise.
One possibility would be, since the client sends the cookie from which
Yanel can recognise that the user is already authenticated, that Yanel
sends a different exception in step 6.
This has the downside that a user may have multiple accounts, one which
indeed has the rights to access that document, but is currently logged
in as a different user. When not offering the user the possibility to
authenticate in step 6, he then couldn't change the account.
Below is a sample conversation of such a case (unimportant headers
removed for clarity).
Step 1. Yulup (initial request for document):
GET
http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout
HTTP/1.1
Host: yanel.wyona.org
Neutron: 1.0-dev
WWW-Authenticate: Neutron-Auth
Step 2. Yanel (user is unauthorized, Yanel offers to authenticate):
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NEUTRON-AUTH
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 898
Set-Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2; Path=/
<?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0"
type="authorization"><message>Authorization denied:
http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth"
method="POST"><form><message>Enter username and password for "Yanel
Website" at "/yanel-website/"</message><param description="Username"
name="username"/><param description="Password"
name="password"/></form></login><logout
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout"
realm="Yanel Website"/></authentication></exception>
Step 3. Yulup (sends user credentials):
POST
http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth
HTTP/1.1
Host: yanel.wyona.org:80
Content-Type: text/xml; charset=UTF-8
Neutron: 1.0-dev
WWW-Authenticate: Neutron-Auth
Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
<?xml version="1.0"?>
<authentication xmlns="http://www.wyona.org/neutron/1.0">
<param name="username">lenya</param>
<param name="password">levi</param>
<original-request
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/>
</authentication>
Step 4. Yanel (authorization succeeded):
HTTP/1.1 200 OK
Content-Type: text/plain;charset=ISO-8859-1
Content-Length: 34
Neutron Authentication Successful!
Step 5. Yulup (reissues the original request):
GET
http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout
HTTP/1.1
Host: yanel.wyona.org
Neutron: 1.0-dev
WWW-Authenticate: Neutron-Auth
Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
Step 6. Yanel (user is unauthorzed, offes to authenticate):
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NEUTRON-AUTH
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 898
<?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0"
type="authorization"><message>Authorization denied:
http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth"
method="POST"><form><message>Enter username and password for "Yanel
Website" at "/yanel-website/"</message><param description="Username"
name="username"/><param description="Password"
name="password"/></form></login><logout
url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout"
realm="Yanel Website"/></authentication></exception>
--
Kind regards,
Andi
More information about the Yanel-development
mailing list