On Thu, Sep 17, 2009 at 20:47, Vidar Ramdal <vi...@idium.no> wrote: > Are you sure about the XHR request part? > > That's not my experience with Safari, it won't send the Authentication > header on subsequent requests if not explicitly asked for it (by the > server sending WWW-Authenticate) on every request. I'll see if I can > come up with some steps to reproduce it.
It works with XHR if you don't pass the credentials in the XHR open call via Javascript but simply let the browser login dialog come up and enter the credentials manually. After that, Safari 3/4 will cache them and send them pre-emptively. From that and other behavior I deducted the "only cache user-entered credentials" principle in Safari. For Chrome (I think I tested the first version) it's even more complicated as he never does preemptive authentication at all (not sure if they added that in recent versions). So the server must be able to send the 401 + WWW-Authenticate header *every* time (= doubles the amount of requests), which is why (popular) browsers quickly switched to preemptive authentication to improve performance. A "pure" browser such as Links or Lynx will also never to preemptive authentication, but I think one can neglect that issue ;-) Currently Sling's auth handler will assume that a plain request with no credentials is a "new" user that is not yet logged in and will redirect him to the login page. That's why there is the special sling:authRequestLogin parameter that will enforce the normal behavior that the first login request runs through all the steps: send w/o credentials, 401, send w/ credentials, 200 => credentials cached (depending on browser). Hence with Chrome you not only have to accept the browser-login-dialog fact, but also make sure the server-side authentication handler handles 401 answers for all requests. But since you no longer need the special login page, you would remove that redirect anyway. I have created a small browser test suite (with some perl cgi to be run in a plain Apache httpd) for that back then when I was experimenting. If you are interested, I could make it publicly available. Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com