Hey guys,
How would I go about implementing digest authentication within lift? I
don't really want to implement this at pure web-server level (e.g.
jetty or tomcat) as I need it to interact with my application.
I've done some reading, and whilst there seem to be a few browser
compatibility issues with various different client implementations
(with IE for instance), it seems to just be a case of presenting the
right HTTP headers. My use case is for this is for REST type services,
so the browser issues shouldn't be an issue at all as we'll document
the implementation used in lift for anyone who wants to implement it.
So then, my question is, where can I implement this functionality?
Ideally, what Id like is to build some kind of hook system so that
people can wire up there own functions upon the authentication request
(e.g. to query a database etc)
Thoughts?
Cheers
Tim
Sure, I've done this type of request matching before so im familiar
with that.
In terms of implementing the digest auth on the server-side, We'll
need some stuff in lift to process the authorization and the headers.
Im guessing i'll need to modify some of the HTTP stuff to do this...
have you any suggestions for where this would fit best?
The request / response cycle as I understand it should be:
request -> challenge response -> request with credentials ->
authorization -> authorized or unauthorized response
OR
request with credentials -> authorization -> authorized or
unauthorized response
Cheers
Tim
On Nov 9, 2:00 pm, "David Pollak" <feeder.of.the.be...@gmail.com>
wrote:
> I would do something like this in my DispatchPf:
>
> {
> case RequestState("api" :: _, _, ) if !goodAuthHeader => return 401
> case RequestSate(....) ....
>
> }
>
> So, the first pattern matches any API request (anything to "/api/...."). It
> tests for a good auth header (this is where your code pulls the auth header,
> inspects it against the RDBMS). If the auth fails, you return a 401 and
> none of the other cases are tested.
>
> Thanks,
>
> David
>
> On Sun, Nov 9, 2008 at 5:52 AM, Tim Perrett <he...@timperrett.com> wrote:
>
> > > For standard HTML pages or for for REST (Dispatch) or for both?
>
> > Sure, for REST dispatch. For instance, listing users and there details
> > would be restricted functionality which requires authentication.
>
> --
> Lift, the simply functional web frameworkhttp://liftweb.net> Collaborative Task Managementhttp://much4.us
Cheers, Tim
Hey David, I've been doing some noodling and think I have a good scheme to implement this. I'll make a branch on github and then post to the list when my alterations are ready.