Open GoogleCodeExporter opened 8 years ago
I think autorisation is something that should be handling in your protocol
definition. For example: add the authorisation-token (together with additional
info like request-id etc, which you undoubtly already have..) in a common
'Header' message. Use login/logout rpc calls to obtain/expire an authorisation
token.
Sending the authorisation token 'out-of-band' is kind of backwards to me.
Second, it would introduce code, wire-bytes and need-to-know-how to developers
which do not need authorisation (on a closed network, for example). Don't get
me wrong: authorisation is indeed a separate layer and it should be treated as
such in your app, but is just not low enough a layer to be send outside the
protocol.
Besides, there are always 'functions' on the server which are callable without
authorisation. 'login' being the best example.
Original comment by knifter@gmail.com
on 15 Aug 2012 at 10:58
Original issue reported on code.google.com by
sdeo.code@gmail.com
on 4 Oct 2009 at 6:32