lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


12.01.2005 Javier Guerra wrote
>or maybe i'm totally offbase, and the authentication can be done just
>some headers.... if so, a simple function to check it would be enough.
>care to enlighten us about the digest authentication method?

Digest authentication uses simple challenge/response protocol.
Server side steps:
1. Does request's URI need authentication?
2. If need authentication and "Authorization" is not present - generate
challenge (respond with 401 and "WWW-Authenticate" header.)
3. If "Authorization" is present - check this header for validity.
4. Check access rights for giver request 

So it may be implemented as generic pluggable Authentication/Authorization
interface with 4 methods:
- doesResourceNeedAuthentication
- generateChallange
- validateUserCredential- 

Proposed interface above may be split into two:
- generateChallange
- validateUserCredential
- doesThisUserHasAccessToThisResource
- doesResourceNeedAuthentication ( say does Anonymous
HasAccessToThisResource ) 

Instance of Authenthication interface may implement Basic or Digest.

If one of Xavante developer will integrate such things within Xavante I am
ready to develop implementation of Digest Authentication component for
Xavante community.

Code from link below may be used as good example of building challenge and
validating response.

12.01.2005 PA wrote
>Here is an example implementation:

12.01.2005 Diego Nehab wrote
>I think all you need is base64 encoding (LuaSocket gives that to you)
>and md5 (Roberto used to have a library for that). It's very similar to
>the basic.

I agree.