[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Authentication and kio_http
From:       Dawit Alemayehu <adawit () kde ! org>
Date:       2000-06-14 3:08:56
[Download RAW message or body]

On Tue, 13 Jun 2000, Kurt Granroth wrote:
> Waldo Bastian wrote:
> > On Tue, 13 Jun 2000, Kurt Granroth wrote:
> > > Are there any http experts that know of a really quick fix for this?
> > 
> > I rather have a proper fix than a quick fix.
> 
> Yep... I wanted a quick proper fix :-)
> 
> > So it seems that we need for authentication a mechanism similair as the one 
> > used for cookies: before the slave requests a page it must ask a central 
> > authority (kdesu?) for any credentials to send along.
> 
> Yes.  There is code already for doing this in SlaveBase::openPassDlg.
> Unfortunately, you can't just call this function randomly... it will
> pop up a dialog if there is no cached authentication stuff.
> 
> So it appears that either we need to move some of the code into
> kio_http (bleah) or move the code into a separate public or protected
> function and have both kio_http and openPassDlg call it (yeah?)

Where ?? In its own class ??

> Does that make sense?

Here are the problems that you would face no matter what

1.)  How do you determine whether or no a particular request needs
authentication ?  There is no guarantee the same slave would be used
to process the request so a new slave would have no clue about the type of
authentication to use or the value of the realm !!  This is the major problem
caused by the flexible design of the io-slaves...

2.) How can you use the services of kdesud daemon without creating a dependency
b/n the libkio & libkdesud ??  Or should we scrap this and create another dcop server
that can be used to store such things ?? 

3.) How can you provide the password/authentication daemon to other io-slaves ??

When you consider the above questions it is not as easy to resolve this
solution.   I think we need to discuss this.  In fact I am stuck the same way
about provide a framework for SSL verification ??  How do you notify the client
app to show certain information.  So far I cannot find any solution without
creating yet another server !?!?  Anyways, either the quick-fix route or the
proper-fix route the problem is not as easy to deal with.  But then again ...

> Well, most pages *do* work "correctly" by sending back a 401.
> However, as I said, certain pages use the authentication info for
> determining state (not sure why cookies aren't used).  Those pages do
> need the auth stuff on the first try.
> 
> I am unsure whether that is a design flaw in Zope or not.  I think
> they *should* use cookies...  Anyway, it doesn't matter -- we should be
> able to handle this.

Well yes and no.  Yes because it should ( BTW SWAT seems to have this same
issue, I have no idea if Webmin does as well ) behave properly and return the
error code when the request came without authorization instead of simply trying
to fulfill this request.  On our part, we have overhead here because of this
issue.  We make unnecessary requests to the server if it needs authentication.

Regards,
Dawit A.

[prev in list] [next in list] [prev in thread] [next in thread]