'Re: Authentication and kio_http'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Authentication and kio_http
From:       Kurt Granroth <granroth () kde ! org>
Date:       2000-06-14 16:58:57
[Download RAW message or body]

Waldo Bastian wrote:
> The stuff you are looking for is part of uiserver::authorize(), that needs to 
> be moved to kio_http. You probably don't need to check for a running kdesu 
> because if it isn't running we just wait for a 401 and when that happens it 
> will be started as is done now.

Yes.  In my tests last night, I moved it to SlaveBase in a
'checkCachedAuthentication' function.  It didn't work at all like I
expected because of what you say below:
 
> The problem of that approach however, seems to be that we don't necasserily 
> know the realm. E.g. we must look for any realm that is appropriate for our 
> request, but the current design only allows us to test whether we have a 
> password for a specific realm. 
> 
> E.g. we must transform a URL to a realm and based on that realm we can query 
> for credentials. But we can't transform a URL to a realm because we a) can't 
> query for a complete list of realms, b) don't store the URL for which a realm 
> is valid.

Right... we only know the host -- the realm is *only* available in the
'Www-authenticate' header... which only comes in a 401 :-/

I then thought that it might be alright to get the very first 401.
After all, if the FIRST page in a sequence of pages won't send back a
401, then it *is* broken as no browser sends authentication for an
initial request.

This also fails :-(  The problem is that we can (and usually do) have
several slaves servicing one site.  In the case of Zope, we will have
two frames and each frame gets it's own slave.  The first frame is
fine since it already knows the realm.  The second is starting from
scratch and knows absolutely nothing.

I'm going to investigate the feasibility of storing the password in
kdesu on a host-based key as well as a realm based one.  We will try
for realm first, but will attempt by host if necessary.

> It says "MAY" and not "MUST". So the fact that Zope depends on that seems to 
> be a design flaw on the part of Zope. That doesn't mean that we shouldn't try 
> to fix it on our part, but it might be nice if Zope did their part as well.

Yes, I'm going to ask about that.
-- 
Kurt Granroth            | http://www.granroth.org
KDE Developer/Evangelist | SuSE Labs Open Source Developer
granroth@kde.org         | granroth@suse.com
           KDE -- Putting a Friendly Face on Unix

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic