[Yanel-dev] Authentication successful but authorization denied

Josias Thöny josias.thoeny at wyona.com
Fri Jan 5 18:01:08 CET 2007 

Hi,

On Fri, 2007-01-05 at 17:49 +0100, Andreas Wuest wrote:
> Hi
> 
> There is an unpleasant corner case where a user likes to access a page, 
> is then prompted to authenticate itself, authentication succeeds, but 
> the access subsequently fails because the user, although authenticated 
> correctly, does not have the proper access rights.
> 
> I don't know how we could improve this behaviour user-interface wise.
> 
> One possibility would be, since the client sends the cookie from which 
> Yanel can recognise that the user is already authenticated, that Yanel 
> sends a different exception in step 6.
> 
> This has the downside that a user may have multiple accounts, one which 
> indeed has the rights to access that document, but is currently logged 
> in as a different user. When not offering the user the possibility to 
> authenticate in step 6, he then couldn't change the account.

IIRC in Lenya we show a different login form in that case, which says
something like: 

----
Access Denied
The user '{0}' is not authorized to access the page '{1}'
If you have another user account with the corresponding privileges,
please provide user name and password below.
Username: ___
Password: ___
----

WDYT, could we do something similar in yanel?

josias


> 
> Below is a sample conversation of such a case (unimportant headers 
> removed for clarity).
> 
> 
> Step 1. Yulup (initial request for document):
> 
> GET 
> http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout 
> HTTP/1.1
> Host: yanel.wyona.org
> Neutron: 1.0-dev
> WWW-Authenticate: Neutron-Auth
> 
> 
> Step 2. Yanel (user is unauthorized, Yanel offers to authenticate):
> 
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: NEUTRON-AUTH
> Content-Type: text/html;charset=ISO-8859-1
> Content-Length: 898
> Set-Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2; Path=/
> 
> <?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0" 
> type="authorization"><message>Authorization denied: 
> http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth" 
> method="POST"><form><message>Enter username and password for "Yanel 
> Website" at "/yanel-website/"</message><param description="Username" 
> name="username"/><param description="Password" 
> name="password"/></form></login><logout 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout" 
> realm="Yanel Website"/></authentication></exception>
> 
> 
> Step 3. Yulup (sends user credentials):
> 
> POST 
> http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth 
> HTTP/1.1
> Host: yanel.wyona.org:80
> Content-Type: text/xml; charset=UTF-8
> Neutron: 1.0-dev
> WWW-Authenticate: Neutron-Auth
> Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
> 
> <?xml version="1.0"?>
> <authentication xmlns="http://www.wyona.org/neutron/1.0">
>    <param name="username">lenya</param>
>    <param name="password">levi</param>
>    <original-request 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/>
> </authentication>
> 
> 
> Step 4. Yanel (authorization succeeded):
> 
> HTTP/1.1 200 OK
> Content-Type: text/plain;charset=ISO-8859-1
> Content-Length: 34
> 
> Neutron Authentication Successful!
> 
> 
> Step 5. Yulup (reissues the original request):
> 
> GET 
> http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout 
> HTTP/1.1
> Host: yanel.wyona.org
> Neutron: 1.0-dev
> WWW-Authenticate: Neutron-Auth
> Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
> 
> 
> Step 6. Yanel (user is unauthorzed, offes to authenticate):
> 
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: NEUTRON-AUTH
> Content-Type: text/html;charset=ISO-8859-1
> Content-Length: 898
> 
> <?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0" 
> type="authorization"><message>Authorization denied: 
> http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth" 
> method="POST"><form><message>Enter username and password for "Yanel 
> Website" at "/yanel-website/"</message><param description="Username" 
> name="username"/><param description="Password" 
> name="password"/></form></login><logout 
> url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout" 
> realm="Yanel Website"/></authentication></exception>
>

More information about the Yanel-development mailing list