On 17/06/10 20:29, webp...@tigris.org wrote:
> I've been using the "ChallengeResponse" mechanism to authenticate users so
> far.
>
> ChallengeResponse challengeResponse = getRequest().getChallengeResponse();
> if( challengeResponse == null ){
> throw new RuntimeException("not authenticated");
> }
> String login = challengeResponse.getIdentifier();
> String password = new String(challengeResponse.getSecret());
>
> From my understanding, "ChallengeResponse" requires that the username and
> password are put into headers. However a client needs to put the credentials
> into the url like so:
>
> https://username:passw...@www.myserver.com/my_secure_document
>
> I wasn't able to figure out how to pull this information from the URL in
> order to authenticate. How is this done?
(Doing so is often considered bad practice, because there's a risk of
sending the username and password when you share the link.)
If you use the username and password in the browser, it's normally the
browser that handles it and uses it for basic authentication. This
information is still sent to the server via the headers.
Not all browsers support this, sometimes for security reasons:
http://support.microsoft.com/kb/834489
Best wishes,
Bruno.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2623429
