"Sharad Desai" <[EMAIL PROTECTED]> writes: >> The only fly in the ointment here is that none of the WebSSO solutions >> currently available can handle authenticating POST requests, where the >> user hasn't previously authenticated to the service, due to their >> requirement for redirects. For us, this was a small price to pay. > > I apologize, but can you elaborate on this?
WebSSO systems handle unauthenticated users by redirecting them to a central login server as a response to an attempt to access a protected resource. The HTTP protocol, however, does not permit returning a redirect as the result of a POST, nor is there any good way to stash the data that comes along with a POST while bouncing the user through the login server without application support for the SSO system (which is contrary to a primary goal: ability to drop WebSSO in front of any arbitrary web application without modifying the application). As a result, when using a WebSSO, you have to ensure that the user has authenticated at some point in the page flow before they do a POST. You can't authenticate them at the time of the POST; you need to have existing credentials to use at that point. This usually isn't much of a problem since it's considered best practice for most applications using POST to force the user to authenticate prior to the POST anyway (otherwise, some cross-site attacks and deceptive tricks are easier to perform). -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos