Authenticate "on demand"

>Apparently this is just hiding the content not actually
signing them
off.

Unless Apache on iSeries works differently, there's nothing
to
"signoff".

The first time a browser requests a page that's protected
it doesn't
send an authenticated header, and as such, the server kicks
the request
back with a 401 requesting authentication. The browser then
asks the
user for the username and password and then responds to the
server by
including an authentication header w/the username and
password. All
subsequent request also include the username and password.
In reality
each request is checked by the server and since the
authentication
header is already there (and valid) the content is served.

How would you sign that off? There is no statefull session
information
there to signoff -- it's up to the browser to throw out the
cached
username and password. Now, sending a new 401 response may
cause the
browser to throw out it's cache of the old username and
password, I'm
not sure (and the answer would vary from browser to browser)
but I don't
see what you could do on the server to force it.

Of course, if you didn't use native authentication and
either rolled
your own plugin for basic authentication, or went with
something that
was session based you'd be better off, but that is more
work.

-Walden

------------
Walden H Leverich III
Tech Software
(516) 627-3800 x3051
WaldenLTechSoftInc.com
http://www.TechSoftInc.com


Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)

-- 
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list
To post a message email: WEB400midrange.com
To subscribe, unsubscribe, or change list options,
visit: htt
p://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-requestmidrange.com
Before posting, please take a moment to review the archives
at http://archive.mi
drange.com/web400.

I didn't want to be the bearer of bad news and I've held
my tongue -- so 
to speak -- since I was only 99% sure, but Walden is
correct.

There's a user authentication class in the Java toolkit if
you'd like to 
roll your own. It's a basic function so you shouldn't have
any problems 
locating sample code.

Thanks,
Alfred

Walden H. Leverich wrote:

>>Apparently this is just hiding the content not
actually signing them
>>    
>>
>off.
>
>Unless Apache on iSeries works differently, there's
nothing to
>"signoff".
>
>The first time a browser requests a page that's
protected it doesn't
>send an authenticated header, and as such, the server
kicks the request
>back with a 401 requesting authentication. The browser
then asks the
>user for the username and password and then responds to
the server by
>including an authentication header w/the username and
password. All
>subsequent request also include the username and
password. In reality
>each request is checked by the server and since the
authentication
>header is already there (and valid) the content is
served.
>
>How would you sign that off? There is no statefull
session information
>there to signoff -- it's up to the browser to throw out
the cached
>username and password. Now, sending a new 401 response
may cause the
>browser to throw out it's cache of the old username and
password, I'm
>not sure (and the answer would vary from browser to
browser) but I don't
>see what you could do on the server to force it.
>
>Of course, if you didn't use native authentication and
either rolled
>your own plugin for basic authentication, or went with
something that
>was session based you'd be better off, but that is more
work.
>
>-Walden
>
>------------
>Walden H Leverich III
>Tech Software
>(516) 627-3800 x3051
>WaldenLTechSoftInc.com
>http://www.TechSoftInc.com

>
>Quiquid latine dictum sit altum viditur.
>(Whatever is said in Latin seems profound.)
>
>  
>
-- 
This is the Web Enabling the AS400 / iSeries (WEB400)
mailing list
To post a message email: WEB400midrange.com
To subscribe, unsubscribe, or change list options,
visit: htt
p://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-requestmidrange.com
Before posting, please take a moment to review the archives
at http://archive.mi
drange.com/web400.