On 20/07/2012, at 10:22 AM, Brock Allen wrote:
>
>> If you put the users' identity (or a facsimile of it) in the URL, that gets it into the cache key, and then you only need to enforce authentication at the gateway (which is supported supported in most products).
>>
> Hmm, that's not the first place I'd think to put it :) I mean... isn't this what the Authorization header is for?
Yep. A gateway can be set up to handle the authentication; e.g., in Squid, it's a combination of:
http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator
http://wiki.squid-cache.org/Features/Authentication
> Also, I'm appreciating how different our styles or mindsets are to this (and I don't mean this in a bad way at all -- it's just interesting to me). So often in the coding I do identity information is mandatory in the server itself so that authorization decisions can be made -- typically due to inputs affecting those decisions or a database needs to get consulted which isn't accessible (or designed to be) from the gateway. But then again, this is typically with RPC style apps. Maybe designing as a RESTful system will somehow allow a better decoupling and separation. I can see with an OAuth style authorization where this would be much easier to separate out... but that's because the resource that requires authorization is the thing at the end of some URL (IOW the application semantics shifting to more of a resource oriented system allow these authorization semantics to also revolve around the identifier for the resource).
Right. Where you need to use the identity on the back end, it's a matter of establishing trust between the gateway and the back end, and then conveying the user identity to it (whether that's in the URL, a header, etc.).
>> I built a system in the late 90's where we cached authenticated content on the "edge", but arranged cache control so that it was validated for every request, thereby checking authentication on the origin server. Since the responses were big PDFs, this helped quite a bit.
>>
> So you always forced a request to get to the origin, but it just returned a 304 if authorization was still granted? So you're saving on the bandwidth?
Exactly.
> Again, many thanks. For me this conversation is very compelling.
No worries!