[Standards-JIG] Re: LAST CALL: JEP-0124 (HTTP Binding)

Peter Saint-Andre stpeter at jabber.org
Fri Jan 7 23:59:32 UTC 2005


Does JEP-0124 require changes to address these concerns? Has specific 
text been proposed to address the concerns? If not, I would like to 
proceed with a vote by the Jabber Council.

Peter

In article <3eb0429d04110811404ffb5e8e at mail.gmail.com>,
 David Waite <dwaite at gmail.com> wrote:

> On Mon, 8 Nov 2004 11:34:33 -0000, Ian Paterson
> <ian.paterson at clientside.co.uk> wrote:
> > David, thanks for the feedback.
> > 
> > > 1. This JEP does not define the use of HTTP authentication mechanisms.
> > > Could text be added stating that deployments using HTTP authentication
> > > mechanisms (basic, digest, cookie-based, or custom solution) should
> > > have the client authenticate using a the EXTERNAL authentication
> > > method?
> > 
> > The JEP intentionally avoids allowing HTTP or Cookie authentication
> > mechanisms. Some of the runtime environments it is designed for do not allow
> > clients to access the HTTP headers ("WWW-Authenticate" etc). Section 3
> > (Requirements) states: "Clients should not be required to have programmatic
> > access to the headers of each HTTP request and response (e.g., cookies or
> > status codes)."
> 
> I thought this was a stated requirements for a spec though, that
> writing a client not be limited based on required featureset for the
> spec. I did not interpret this as a cap on features that a client or
> server implementation of JEP-124 may have.
> 
> > Can you explain any examples where external authentication might be
> > necessary?
> 
> Sure, website single sign-on; allowing someone to embed a chatroom or
> other IM functionality directly into a site for all authenticated users.
> 
> For example, this could be done in a cross-platform way using the
> XmlHttpRequest object supported by IE 5.0, Mozilla + Firefox, Safari,
> Opera, and others. I haven't experimented with basic/digest/cert auth
> yet, but I do know cookies are relayed and handled the same as within
> the normal browser session context.




More information about the Standards mailing list