[Registry-dev] HTTP basic authentication
Sanjiva Weerawarana
sanjiva at wso2.com
Sat Jan 5 03:23:16 PST 2008
Hi Chathura,
Excellent! Did you also try this over HTTPS? Please set up a testcase too
to make sure its working right.
Since the browser maintains the HTTP session, is it correct that in the
browser case the authn happens only once? Whereas in the RemoteRegistry
case, the authn will happen each time right now as we're not getting http
session support by Abdera. Deepal please check that the authn is working
right for the remote registry too.
Sanjiva.
Chathura C. Ekanayake wrote:
>
> I have implemented the HTTP basic authentication support for resource
> content access through the webapp.
>
> Now the authorization for the HTTP GET requests for the
> wso2registry/resources/... path works as below.
>
> If a user is not logged in and GET request is made on an unauthorized
> resource, WWW-Authenticate: Basic realm="WSO2Registry" header is sent
> with a 401 response.
>
> If the request contains Authorization: Basic
> QWxhZGRpbjpvcGVuIHNlc2FtZQ== header, specified user is authenticated and
> logged in. This happens irrespective of a user is logged in or not. That
> means a client can force to log in as a user by providing the
> Authorization header.
>
> If a user is logged in and GET request is made on an unauthorized
> resource, 401 response is returned without the WWW-Authenticate header.
>
> I have tested this implementation using Firefox browser and tcpmon.
>
> Thanks,
> Chathura
>
>
> _______________________________________________
> Registry-dev mailing list
> Registry-dev at wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/registry-dev
>
--
Sanjiva Weerawarana, Ph.D.
Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
email: sanjiva at wso2.com; cell: +1 650 265 8311 | +94 77 787 6880
"Oxygenating the Web Service Platform."
More information about the Registry-dev
mailing list