Hi, Am 17.09.2010 18:09, schrieb Justin Edelson: > At least in the WebDAV case, is there any way to use the Accepts header > to help with making the decision as to how to respond? i.e. if Accepts > contains text/html, return the login page. If it doesn't, return a 401. > Perhaps this requires more testing of WebDAV clients than we can > effectively do, but it does seem to make semantic sense - if a user > agent says it can support (accept) HTML, we should give it HTML.
Sounds like a good idea. But: The first request of WebDAV clients generally is an OPTIONS request which does not have much headers except Host and User-Agent. > > Doesn't really help with XHR, but I thought the 403 response was the > right way to deal with that. Yes. Regards Felix > > Justin > > On 9/17/10 10:59 AM, Felix Meschberger wrote: >> Hi all, >> >> I am trying to tackle issues SLING-1400 [1] and SLING-1745 [2]. >> >> The first issue is about WebDAV clients connecting to Sling on root with >> an OPTIONS request and not being happy with a redirect response, obviously. >> >> The second issue is about client side JavaScript application framework >> which may send XHR requests to Sling, mainly POSTs destined for the POST >> Servlet but probably also other stuff. Such framework are also generally >> not very happy getting redirect responses back. >> >> Solutions for both problems would probably have to be implemented in the >> SlingAuthenticator.doLogin method, which is called after an unsuccessful >> login or after a first request noticing that authentication is required. >> >> So here are the options I came up with: >> >> * Send back a 401 response, at least for the OPTIONS request >> to trigger a regular HTTP Basic Authentication >> * Send back a 403 response, to indicate that access is currently >> forbidden (we discussed this option earlier [3]). >> >> My questions: >> >> - Would it be ok to special case the OPTIONS request ? >> - Shall we generally only send back a generic credentials request >> (may be a redirect or a form directly or whatever) if the >> original request was GET and send back either 401 or 403 for >> all non-GET requests, including HEAD ? >> - Is it a good idea to send back 401 generally ? >> - Should we only send back 401 if HTTP Basic authentication is >> at enabled fully or enabled preemptively and send back 403 if >> HTTP Basic authentication is switched off completely ? >> - Am I completely off track ? >> >> WDYT ? >> >> Regards >> Felix >> >> >> >> [1] https://issues.apache.org/jira/browse/SLING-1400 >> [2] https://issues.apache.org/jira/browse/SLING-1745 >> [3] http://markmail.org/message/jwsvk6swnxvvfsyz > >
