[Yanel-dev] Authentication successful but authorization denied
Michael Wechner
michael.wechner at wyona.com
Fri Jan 5 22:48:01 CET 2007
Josias Thöny wrote:
>Hi,
>
>On Fri, 2007-01-05 at 17:49 +0100, Andreas Wuest wrote:
>
>
>>Hi
>>
>>There is an unpleasant corner case where a user likes to access a page,
>>is then prompted to authenticate itself, authentication succeeds, but
>>the access subsequently fails because the user, although authenticated
>>correctly, does not have the proper access rights.
>>
>>I don't know how we could improve this behaviour user-interface wise.
>>
>>One possibility would be, since the client sends the cookie from which
>>Yanel can recognise that the user is already authenticated, that Yanel
>>sends a different exception in step 6.
>>
>>This has the downside that a user may have multiple accounts, one which
>>indeed has the rights to access that document, but is currently logged
>>in as a different user. When not offering the user the possibility to
>>authenticate in step 6, he then couldn't change the account.
>>
>>
>
>IIRC in Lenya we show a different login form in that case, which says
>something like:
>
>----
>Access Denied
>The user '{0}' is not authorized to access the page '{1}'
>If you have another user account with the corresponding privileges,
>please provide user name and password below.
>Username: ___
>Password: ___
>----
>
>WDYT, could we do something similar in yanel?
>
>
sure (at least for HTML form based this should work without a problem).
You might want to add an enhancement.
The question might be how to communicate this with Neutron-Auth.
Any suggestions are welcome ;-)
Thanks
Michi
>josias
>
>
>
>
>>Below is a sample conversation of such a case (unimportant headers
>>removed for clarity).
>>
>>
>>Step 1. Yulup (initial request for document):
>>
>>GET
>>http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout
>>HTTP/1.1
>>Host: yanel.wyona.org
>>Neutron: 1.0-dev
>>WWW-Authenticate: Neutron-Auth
>>
>>
>>Step 2. Yanel (user is unauthorized, Yanel offers to authenticate):
>>
>>HTTP/1.1 401 Unauthorized
>>WWW-Authenticate: NEUTRON-AUTH
>>Content-Type: text/html;charset=ISO-8859-1
>>Content-Length: 898
>>Set-Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2; Path=/
>>
>><?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0"
>>type="authorization"><message>Authorization denied:
>>http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth"
>>method="POST"><form><message>Enter username and password for "Yanel
>>Website" at "/yanel-website/"</message><param description="Username"
>>name="username"/><param description="Password"
>>name="password"/></form></login><logout
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout"
>>realm="Yanel Website"/></authentication></exception>
>>
>>
>>Step 3. Yulup (sends user credentials):
>>
>>POST
>>http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth
>>HTTP/1.1
>>Host: yanel.wyona.org:80
>>Content-Type: text/xml; charset=UTF-8
>>Neutron: 1.0-dev
>>WWW-Authenticate: Neutron-Auth
>>Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
>>
>><?xml version="1.0"?>
>><authentication xmlns="http://www.wyona.org/neutron/1.0">
>> <param name="username">lenya</param>
>> <param name="password">levi</param>
>> <original-request
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/>
>></authentication>
>>
>>
>>Step 4. Yanel (authorization succeeded):
>>
>>HTTP/1.1 200 OK
>>Content-Type: text/plain;charset=ISO-8859-1
>>Content-Length: 34
>>
>>Neutron Authentication Successful!
>>
>>
>>Step 5. Yulup (reissues the original request):
>>
>>GET
>>http://yanel.wyona.org/specification/annotations.html.txt?yanel.resource.usecase=checkout
>>HTTP/1.1
>>Host: yanel.wyona.org
>>Neutron: 1.0-dev
>>WWW-Authenticate: Neutron-Auth
>>Cookie: JSESSIONID=DA9A2D7CA3C0B00730BFA35DA0AA8AD8.cnode2
>>
>>
>>Step 6. Yanel (user is unauthorzed, offes to authenticate):
>>
>>HTTP/1.1 401 Unauthorized
>>WWW-Authenticate: NEUTRON-AUTH
>>Content-Type: text/html;charset=ISO-8859-1
>>Content-Length: 898
>>
>><?xml version="1.0"?><exception xmlns="http://www.wyona.org/neutron/1.0"
>>type="authorization"><message>Authorization denied:
>>http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout</message><authentication><original-request
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout"/><login
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=neutron-auth"
>>method="POST"><form><message>Enter username and password for "Yanel
>>Website" at "/yanel-website/"</message><param description="Username"
>>name="username"/><param description="Password"
>>name="password"/></form></login><logout
>>url="http://yanel.wyona.org:80/specification/annotations.html.txt?yanel.resource.usecase=checkout&yanel.usecase=logout"
>>realm="Yanel Website"/></authentication></exception>
>>
>>
>>
>
>
>_______________________________________________
>Yanel-development mailing list
>Yanel-development at wyona.com
>http://wyona.com/cgi-bin/mailman/listinfo/yanel-development
>
>
>
--
Michael Wechner
Wyona - Open Source Content Management - Apache Lenya
http://www.wyona.com http://lenya.apache.org
michael.wechner at wyona.com michi at apache.org
+41 44 272 91 61
More information about the Yanel-development
mailing list