Speifying mechanisms [was RE: XML2004Hackathon]

["Mark Birbeck" <mark.birbeck@xxxxxxxxxx>]

Joe,

> > That all seems reasonable, but there would therefore need 
> to be a way 
> > to tell an Atom client which security mechanism to use for a 
> > particular system.
> 
> That's what a status code of 401 and the 
> WWW-Authenticate: header are for.

Yes, but that's incredibly long-winded ... you have to fail before you know
how to succeed. And also, if you have an Atom feed that contains references
to entries that are on a number of different servers, you have to fail again
for each server. In fact you may need to fail for each operation, because if
we give one URL for new entries and another for edits, we might choose to
use different security mechanisms for each.

(Note also that WWW-Authenticate is protocol dependent, which -- so far --
much of Atom is not.)

It seems to me that since the Atom architecture is very much about being
able to find interact points 'dynamically', then all we would need to see is
some information that tells us what security technique to use when accessing
a particular URL. We can then avoid the trial and error approach, have a
different security mechanism for each URL if we wanted to, and not fix
things to any particular protocol.

Regards,

Mark


Mark Birbeck
CEO
x-port.net Ltd.

e: Mark.Birbeck@xxxxxxxxxx
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/

Download our XForms processor from
http://www.formsPlayer.com/