[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Authentication and kio_http
From:       Waldo Bastian <bastian () kde ! org>
Date:       2000-06-14 0:23:05
[Download RAW message or body]

On Tue, 13 Jun 2000, Kurt Granroth wrote:
> Are there any http experts that know of a really quick fix for this?

I rather have a proper fix than a quick fix.

> I'm going to start investigating it... but if you beat me to the fix,
> I'd appreciate it :-)

http is dictated by a RFC. So assuming that Zope is doing the right thing, 
our http way of doing authentication is probably not in line with the RFC. 
(RFC 2617)

RFC2616 covers it briefly (e.g. section 14.8):

      If a request is
      authenticated and a realm specified, the same credentials SHOULD
      be valid for all other requests within this realm (assuming that
      the authentication scheme itself does not require otherwise, such
      as credentials that vary according to a challenge value or using
      synchronized clocks).                       

So it seems that we need for authentication a mechanism similair as the one 
used for cookies: before the slave requests a page it must ask a central 
authority (kdesu?) for any credentials to send along.

From what I understand though it is not correct of Zope to depend on 
credentials being in the first request. I haven't read RFC 2617 though.

Cheers,
Waldo
-- 
Make way, KDE/Linux is coming to a desktop near you!

[prev in list] [next in list] [prev in thread] [next in thread]