Quoting Carsten Ziegeler <[EMAIL PROTECTED]>:
> > Sylvain Wallez wrote:
> > <snip>
> > >
> > >>A question about sunRise : is it possible to use standard HTTP
> > >>authentication and authorization ? AFAICS, it seems to be very tied
> to
> > >>form-based and application-managed authentication.
> > >>
> > >
> > >You can use any information you can reach from within the Java code.
> > >I'm not sure if there is a change to get the HTTP authentication
> infos.
> > >If yes, you can use sunRise.
> > >
> > The problem comes from the login page. With HTTP authentication, you
> > don't have a dedicated login page, and thus cannot use this one to
> > handle authentication. Or did I miss something ?
> >
>
> Hm, correct me if I'm wrong as we never used HTTP authentication with
> sunRise.
> If a user requests a URI from the web server which is protected, the web
> server
> (or the browser) prompts for the authentication information.
Yes. This is true for all kinds of authentication types (BASIC-AUTH as well as
SSL client certs).
> Only if the
> user is authenticated this request is forwarded to the servlet engine.
^ by the web server
> Is this correct?
Yes.
> If this is so, the servlet engine can - without using a form - use the
> sunRise-login
> action, get the information from the web server (if possible) and log
> the
> user
> into sunRise.
Yes, without redirecting it to a login page (in any case). In the case the
Action thinks a user is not authorized it has to tell it back to the web server
by using the corresponding HTTP response code (5xx IIRC).
The authenticating server and the application share a common user base (the web
server for authentication and the application for authorisation).
> Does this make sense?
I think so.
Giacomo
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
