At least in the WebDAV case, is there any way to use the Accepts header to help with making the decision as to how to respond? i.e. if Accepts contains text/html, return the login page. If it doesn't, return a 401. Perhaps this requires more testing of WebDAV clients than we can effectively do, but it does seem to make semantic sense - if a user agent says it can support (accept) HTML, we should give it HTML.
Doesn't really help with XHR, but I thought the 403 response was the right way to deal with that. Justin On 9/17/10 10:59 AM, Felix Meschberger wrote: > Hi all, > > I am trying to tackle issues SLING-1400 [1] and SLING-1745 [2]. > > The first issue is about WebDAV clients connecting to Sling on root with > an OPTIONS request and not being happy with a redirect response, obviously. > > The second issue is about client side JavaScript application framework > which may send XHR requests to Sling, mainly POSTs destined for the POST > Servlet but probably also other stuff. Such framework are also generally > not very happy getting redirect responses back. > > Solutions for both problems would probably have to be implemented in the > SlingAuthenticator.doLogin method, which is called after an unsuccessful > login or after a first request noticing that authentication is required. > > So here are the options I came up with: > > * Send back a 401 response, at least for the OPTIONS request > to trigger a regular HTTP Basic Authentication > * Send back a 403 response, to indicate that access is currently > forbidden (we discussed this option earlier [3]). > > My questions: > > - Would it be ok to special case the OPTIONS request ? > - Shall we generally only send back a generic credentials request > (may be a redirect or a form directly or whatever) if the > original request was GET and send back either 401 or 403 for > all non-GET requests, including HEAD ? > - Is it a good idea to send back 401 generally ? > - Should we only send back 401 if HTTP Basic authentication is > at enabled fully or enabled preemptively and send back 403 if > HTTP Basic authentication is switched off completely ? > - Am I completely off track ? > > WDYT ? > > Regards > Felix > > > > [1] https://issues.apache.org/jira/browse/SLING-1400 > [2] https://issues.apache.org/jira/browse/SLING-1745 > [3] http://markmail.org/message/jwsvk6swnxvvfsyz
