geting http auth info

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

geting http auth info

johnd
I am playing with http basic authentication.

I'm open to any advise.

I have some backend rpc stuff that requires a basic http auth (apache
with a simple password file).  My main qooxdoo app is in a non
protected area.  When the app runs I'd like to be able to see if the
browser already has the basic auth headers.  If they do I do nothing.
If they have not logged in I want to bring up a longin screen and set
the name and password on the rpc object so they don't get prompted
with a browser specif popup but rather a page the comes from qooxdoo.


Is there a way for javascript to ask the browser if it is already
authenticated?


The whole site is running on a https server.

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: geting http auth info

johnd
On Thu, Aug 25, 2011 at 12:51 PM, John de la Garza <[hidden email]> wrote:
> I am playing with http basic authentication.
>


I'm having second thoughts no this.  If I want full control over the
login process and to never see the browser specif login window (for
basic http auth), it looks like I'll need to not use http basic auth
and have my RPC methods require authentication when called.

It seems there is no way to ask the browser if it has already
authenticated.  And If I simply assume they have not and ask for a
name and password to add to my rpc object, I have no way of knowing if
the pw and user name are correct with out generating some http req.
In doing this (if the username/pw are wrong) I get the browser pop
up...



I tried to use this code to check if I was authenticated. I hoped to
not see the pop up but just get an error.  I was hoping that somehow
my javascript wuoldn't trigger the box, but I guess it is at the
browser level so I can't get around it.var req = new
qx.io.remote.Request("/cgi-bin/json.py");
var that = this;
req.addListener("failed", function(e) {
  //var req = e.getTarget();

  // Response parsed according to the server's
  // response content type, e.g. JSON
  //req.getResponse();
that.debug('failed');

}, this);
req.addListener("completed", function(e) {

that.debug('completed');

}, this);

// Send request
  // response content type, e.g. JSON
this.debug('before send');
req.send();

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: geting http auth info

Tino Butz-2
Hi,

There is no way I am aware of to check if the browser is already authenticated. The only way I can imagine is to make a request and to check the 401 status code in response header. 

Tino

Am 25.08.2011 um 23:24 schrieb John de la Garza:

On Thu, Aug 25, 2011 at 12:51 PM, John de la Garza <[hidden email]> wrote:
I am playing with http basic authentication.



I'm having second thoughts no this.  If I want full control over the
login process and to never see the browser specif login window (for
basic http auth), it looks like I'll need to not use http basic auth
and have my RPC methods require authentication when called.

It seems there is no way to ask the browser if it has already
authenticated.  And If I simply assume they have not and ask for a
name and password to add to my rpc object, I have no way of knowing if
the pw and user name are correct with out generating some http req.
In doing this (if the username/pw are wrong) I get the browser pop
up...



I tried to use this code to check if I was authenticated. I hoped to
not see the pop up but just get an error.  I was hoping that somehow
my javascript wuoldn't trigger the box, but I guess it is at the
browser level so I can't get around it.var req = new
qx.io.remote.Request("/cgi-bin/json.py");
var that = this;
req.addListener("failed", function(e) {
 //var req = e.getTarget();

 // Response parsed according to the server's
 // response content type, e.g. JSON
 //req.getResponse();
that.debug('failed');

}, this);
req.addListener("completed", function(e) {

that.debug('completed');

}, this);

// Send request
 // response content type, e.g. JSON
this.debug('before send');
req.send();

------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

Tino Butz
Mobile Architect

1&1 Internet AG - Web Technologies
Ernst-Frey-Straße 9 · DE-76135 Karlsruhe
Telefon: +49 721 91374-4488

Amtsgericht Montabaur / HRB 6484
Vorstände: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Robert Hoffmann, Markus Huhn, Hans-Henning Kettler, Dr. Oliver Mauss, Jan Oetjen
Aufsichtsratsvorsitzender: Michael Scheeren


------------------------------------------------------------------------------
EMC VNX: the world's simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: geting http auth info

johnd
On Fri, Aug 26, 2011 at 4:47 AM, Tino Butz <[hidden email]> wrote:
> Hi,
> There is no way I am aware of to check if the browser is already
> authenticated. The only way I can imagine is to make a request and to check
> the 401 status code in response header.
> Tino


I tried this and in my browser it causes the http auth box to come up...

I'm thinking I have to live with this and not use http auth but rather
roll my own auth system.  Things will be in https so I am considering
just send a credential of some type  to each rpc method for each call.

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel