Open michaelwechner opened 11 years ago
The class
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
is currently returning a status code 200 also when a user is not authenticated yet, because as described at
http://www.w3.org/html/wg/tracker/issues/13
otherwise the browser would not display the HTML-form response.
Although this seems to be common practice, this approach has its flaws and there seem to be alternative approaches, like for example
http://www.peej.co.uk/articles/http-auth-with-html-forms.html http://www.berenddeboer.net/rest/authentication.html
Also we should consider the usage of "Optional-WWW-Authenticate" header as described at
http://tools.ietf.org/html/draft-oiwa-http-auth-extension-00
The class
src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
is currently returning a status code 200 also when a user is not authenticated yet, because as described at
http://www.w3.org/html/wg/tracker/issues/13
otherwise the browser would not display the HTML-form response.
Although this seems to be common practice, this approach has its flaws and there seem to be alternative approaches, like for example
http://www.peej.co.uk/articles/http-auth-with-html-forms.html http://www.berenddeboer.net/rest/authentication.html
Also we should consider the usage of "Optional-WWW-Authenticate" header as described at
http://tools.ietf.org/html/draft-oiwa-http-auth-extension-00