[Registry-dev] HTTP basic authentication
Chathura C. Ekanayake
chathura at wso2.com
Fri Jan 4 09:55:54 PST 2008
I have implemented the HTTP basic authentication support for resource
content access through the webapp.
Now the authorization for the HTTP GET requests for the
wso2registry/resources/... path works as below.
If a user is not logged in and GET request is made on an unauthorized
resource, WWW-Authenticate: Basic realm="WSO2Registry" header is sent
with a 401 response.
If the request contains Authorization: Basic
QWxhZGRpbjpvcGVuIHNlc2FtZQ== header, specified user is authenticated and
logged in. This happens irrespective of a user is logged in or not. That
means a client can force to log in as a user by providing the
Authorization header.
If a user is logged in and GET request is made on an unauthorized
resource, 401 response is returned without the WWW-Authenticate header.
I have tested this implementation using Firefox browser and tcpmon.
Thanks,
Chathura
More information about the Registry-dev
mailing list