22 Dec
2008
22 Dec
'08
3:02 p.m.
Eduard Moraru wrote:
Vincent Massol wrote:
+1 for URL authentication. This is something needed (for command line
clients that don't speak BASIC auth), although it is not safe at all.
Still, it has the same safety level as BASIC auth, so it is no less safe
than other authentication methods (given that by default our login sends
plaintext values over HTTP).
On Dec 19, 2008, at 6:27 PM, Fabio Mancinelli
wrote:
+1
I think it would be easier and more natural to have the default to guest
or anonymous user.
When an anonymous user tries to access restricted content -> 403
If he wants to log-in, he just does:
http://user:password@xwikihost.xxx/space/X/page/Y Vincent Massol wrote:
Is that right? It sounds cumbersome and bad for easy automation when
you want guest access.
Cannot we default to guest when no username/account is specified?
Thanks
-Vincent
Does this mean I cannot open my browser and call
the REST URL without
specifying a user?
It should open up the authentication dialog where you type your
username
and password (or guest) the first time you request a resource.
We should mimic the basic auth and skip the pop`ul
window that requires
user/pass in the browser.
That is: Imply that the current user is exactly who he says he is and do
not assume he could be a user with rights to a resource until he
explicitly says so.
-1. Although URL authentication should not create any persistent
authentication, we need something persistent (using cookies).
--
Sergiu Dumitriu
http://purl.org/net/sergiu/