19 Dec
2008
19 Dec
'08
6:57 p.m.
Vincent Massol wrote:
On Dec 19, 2008, at 6:27 PM, Fabio Mancinelli wrote:
Well, when a resource is requested for the first time (i.e., a request
with no auth headers) either the server assume that is a guest or it
sends back a challenge (e.g., auth basic) in order to request an auth
header.
It's this challenge that makes the browser open the popup. So if we want
to be able to authenticate users that types URIs in a browser we need to
make this popup open. AFAIK this is the only way for making the browser
send an auth header. Otherwise a user that types URIs in a plain browser
will always results as "guest".
For automation I don't really see the problem. If we are going to write
a script or another automated agent, for example using curl, we can
always stick an auth header starting from the first request and no
challenge will be generated: the server will provide the requested
resource (provided that the credentials in the auth header are correct)
-Fabio
Vincent Massol wrote:
Is that right? It sounds cumbersome and bad for easy automation when
you want guest access.
Cannot we default to guest when no username/account is specified?
Does this mean I cannot open my browser and call
the REST URL without
specifying a user?
It should open up the authentication dialog where you type your
username
and password (or guest) the first time you request a resource.