[Yanel-dev] Authentication successful but authorization denied

Michael Wechner michael.wechner at wyona.com
Fri Jan 5 22:48:01 CET 2007 

Josias Thöny wrote:

>Hi,
>
>On Fri, 2007-01-05 at 17:49 +0100, Andreas Wuest wrote:
>  
>
>>Hi
>>
>>There is an unpleasant corner case where a user likes to access a page, 
>>is then prompted to authenticate itself, authentication succeeds, but 
>>the access subsequently fails because the user, although authenticated 
>>correctly, does not have the proper access rights.
>>
>>I don't know how we could improve this behaviour user-interface wise.
>>
>>One possibility would be, since the client sends the cookie from which 
>>Yanel can recognise that the user is already authenticated, that Yanel 
>>sends a different exception in step 6.
>>
>>This has the downside that a user may have multiple accounts, one which 
>>indeed has the rights to access that document, but is currently logged 
>>in as a different user. When not offering the user the possibility to 
>>authenticate in step 6, he then couldn't change the account.
>>    
>>
>
>IIRC in Lenya we show a different login form in that case, which says
>something like: 
>
>----
>Access Denied
>The user '{0}' is not authorized to access the page '{1}'
>If you have another user account with the corresponding privileges,
>please provide user name and password below.
>Username: ___
>Password: ___
>----
>
>WDYT, could we do something similar in yanel?
>  
>

sure (at least for HTML form based this should work without a problem). 
You might want to add an enhancement.

The question might be how to communicate this with Neutron-Auth.

Any suggestions are welcome ;-)

Thanks

Michi

>josias
>
>
>  
>
>>Below is a sample conversation of such a case (unimportant headers 
>>removed for clarity).
>>
>>
>>Step 1. Yulup (initial request for document):
>>
>>GET 
>>http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout 
>>HTTP/1.1
>>Host: yanel.wyona.org
>>Neutron: 1.0-dev
>>WWW-Authenticate: Neutron-Auth
>>
>>
>>Step 2. Yanel (user is unauthorized, Yanel offers to authenticate):
>>
>>HTTP/1.1 401 Unauthorized
>>WWW-Authenticate: NEUTRON-AUTH
>>Content-Type: text/html;charset=ISO-8859-1
>>Content-Length: 898
>>Set-Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2; Path=/
>>
>><?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0" 
>>type="authorization"><message>Authorization denied: 
>>http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth" 
>>method="POST"><form><message>Enter username and password for "Yanel 
>>Website" at "/yanel-website/"</message><param description="Username" 
>>name="username"/><param description="Password" 
>>name="password"/></form></login><logout 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout" 
>>realm="Yanel Website"/></authentication></exception>
>>
>>
>>Step 3. Yulup (sends user credentials):
>>
>>POST 
>>http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth 
>>HTTP/1.1
>>Host: yanel.wyona.org:80
>>Content-Type: text/xml; charset=UTF-8
>>Neutron: 1.0-dev
>>WWW-Authenticate: Neutron-Auth
>>Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
>>
>><?xml version="1.0"?>
>><authentication xmlns="http://www.wyona.org/neutron/1.0">
>>   <param name="username">lenya</param>
>>   <param name="password">levi</param>
>>   <original-request 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/>
>></authentication>
>>
>>
>>Step 4. Yanel (authorization succeeded):
>>
>>HTTP/1.1 200 OK
>>Content-Type: text/plain;charset=ISO-8859-1
>>Content-Length: 34
>>
>>Neutron Authentication Successful!
>>
>>
>>Step 5. Yulup (reissues the original request):
>>
>>GET 
>>http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout 
>>HTTP/1.1
>>Host: yanel.wyona.org
>>Neutron: 1.0-dev
>>WWW-Authenticate: Neutron-Auth
>>Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
>>
>>
>>Step 6. Yanel (user is unauthorzed, offes to authenticate):
>>
>>HTTP/1.1 401 Unauthorized
>>WWW-Authenticate: NEUTRON-AUTH
>>Content-Type: text/html;charset=ISO-8859-1
>>Content-Length: 898
>>
>><?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0" 
>>type="authorization"><message>Authorization denied: 
>>http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth" 
>>method="POST"><form><message>Enter username and password for "Yanel 
>>Website" at "/yanel-website/"</message><param description="Username" 
>>name="username"/><param description="Password" 
>>name="password"/></form></login><logout 
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout" 
>>realm="Yanel Website"/></authentication></exception>
>>
>>    
>>
>
>
>_______________________________________________
>Yanel-development mailing list
>Yanel-development at wyona.com
>http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>
>  
>


-- 
Michael Wechner
Wyona      -   Open Source Content Management   -    Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner at wyona.com                        michi at apache.org
+41 44 272 91 61

More information about the Yanel-development mailing list