Re: [hybi] About authentication mechanism

Greg Wilkins <gregw@intalio.com> Wed, 29 June 2011 09:14 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A83721F8627 for <hybi@ietfa.amsl.com>; Wed, 29 Jun 2011 02:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPEc6AsqJeXi for <hybi@ietfa.amsl.com>; Wed, 29 Jun 2011 02:14:36 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id DFA5621F8623 for <hybi@ietf.org>; Wed, 29 Jun 2011 02:14:35 -0700 (PDT)
Received: by vws12 with SMTP id 12so892912vws.31 for <hybi@ietf.org>; Wed, 29 Jun 2011 02:14:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.75.129 with SMTP id c1mr761684vdw.202.1309338875007; Wed, 29 Jun 2011 02:14:35 -0700 (PDT)
Received: by 10.52.187.66 with HTTP; Wed, 29 Jun 2011 02:14:33 -0700 (PDT)
In-Reply-To: <CABLsOLB17_BVH+mGG4PCvMo8hWSfc=BvuNgq8Rcbo5Mxm6k7Zg@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com> <BANLkTimw8T4pZieBeCjaPQJ8oYWfbTjkmg@mail.gmail.com> <BANLkTikOzzHF1dGz-2-UwTC0kb2ZQd_0Jw@mail.gmail.com> <BANLkTimCTTCU4UFA7JFuBvDZSFv++UyGCA@mail.gmail.com> <BANLkTinWnTxkCh9BM_utX0=pxzE02DypuA@mail.gmail.com> <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com> <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com> <CABLsOLD-EWb=pQ33c9FSU3cu0JTGS5mc2-e5-oq-skfp7rzQhA@mail.gmail.com> <CALiegfnfWwqtWqHZ5GUCWMNdWODnV+fHNhn+fxpL49KQ=Fs8Fw@mail.gmail.com> <BANLkTi=CHoqCaTpBUyjokotR6F6tcfajcNedwQg0_ge0JRUYNQ@mail.gmail.com> <CALiegf=Y-kWG7piRnbDtKeh7Edj11OtQqHVCUq4N2_D1pXG8Qw@mail.gmail.com> <BANLkTim++ywp3fCM8YXuRkH41pUOLqbJZt1JhVdpdUcbJkaVmQ@mail.gmail.com> <CALiegfm8aCsnav51DC=h4DmH+F0DAJUk69D4bbv_0GtvDjw3tw@mail.gmail.com> <CABLsOLB17_BVH+mGG4PCvMo8hWSfc=BvuNgq8Rcbo5Mxm6k7Zg@mail.gmail.com>
Date: Wed, 29 Jun 2011 19:14:33 +1000
Message-ID: <BANLkTimLonO3NoKfqQdgX3hs_fz7ztakDQ@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 09:14:36 -0000

On 29 June 2011 18:28, John Tamplin <jat@google.com> wrote:
> How many sites use HTTP auth instead of rolling their own?  I can't think of
> a single one that I use regularly that does.

It is true that not many (if any) large when known sites use the HTTP
auth mechanisms. However there are many many smaller sites that do use
them and they remain well supported by J2EE environments. I also
frequently see them used with webservices.

I really don't think that WS should be forcing a choice in
authentication mechanism.   It should be able to support:
  + standard HTTP authentication mechanisms
  + simple cookie based authentication
  + token passing (eg oath) authentication

I actually think the protocol already is pretty good at doing all
this, however the API does not support any of them.