[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Atom 0.2 feedback

To: atom-syntax@xxxxxxx
Subject: Re: Atom 0.2 feedback
From: Rodent of Unusual Size <Ken.Coar@xxxxxxxxx>
Date: Tue, 19 Aug 2003 12:36:13 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
Organization: The Apache Software Foundation
References: <> <> <>
Sender: owner-atom-syntax@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130

i have just run some tests with vanilla apache and cgi, and
verified that using an auth mechanism unknown to the embedded
server modules allows it to pass through to the cgi script.
my test script returns 401 and the WWW-Authenticate field if
it doesn't receive any credentials (no Authorization field).
if it receives an Authorization field naming the Atom auth
scheme, it looks for the X-Atom extension field.  if found,
it returns 200, otherwise goes back to 401.

there is a transaction log at http://pastebin.com/13943 --
it shows a client (me using telnet in this case ;-) requesting
the cgi script, and the script's responses.

some notes about this technique:

o this jiggery-pokery is necessary because apache does
  not make the value of the Authorization response header
  field available to cgi scripts -- so the credential
  information needs to be passed through extension fields.
o this works within the framework of HTTP, using its
  mechanisms and extension methods properly.
o in my example, in the 'WWW-Authenticate: Atom foo' and
  'Authorization: Atom foo' field values, the 'foo' is
  essentially a no-op; the important thing is the Atom
  auth scheme name, which signals the 'look at the X-Atom.*
  fields' activity.
o WWW-Authenticate can report *multiple* acceptable auth
  schemes.  clients should respond with the most specific or
  most secure one they support.  if WWW-Authenticate indicates
  that the server can handle Basic, Atom, and Digest auth
  schemes, the client should respond with Atom, Digest, or
  Basic auth, in that order, depending on which it supports.
o clients need to be able to handle the standard Basic and
  (optionally) Digest schemes in order to correctly interoperate
  with environments that are using common server protection
  mechanisms instead of Atom's.
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millennium hand and shrimp!"

Follow-Ups:
- Re: Atom 0.2 feedback
  - From: Joe Gregorio

References:
- comments on Atom 0.2
  - From: Nelson Minar
- Atom 0.2 feedback
  - From: Tim Bray
- Re: Atom 0.2 feedback
  - From: Sam Ruby

Prev by Date: Re: Will Atom have a "don't process invalid documents" rule?
Next by Date: Re: Atom 0.2 feedback
Previous by thread: Re: Atom 0.2 feedback
Next by thread: Re: Atom 0.2 feedback
Index(es):
- Date
- Thread