[thesite] UEUE -- Cleaning up with SOAP/XML-RPC
.jeff
jeff at members.evolt.org
Wed Nov 28 18:48:48 CST 2001
jeremy,
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Jeremy Ashcraft
>
> What if we had a request handler in apache(written in
> perl) that handled the authentication(via a SOAP client)
> of the user instead of having a SOAP client in each of
> the applications. This way we can sort of "pre-screen"
> the request to determine if the user is who they say they
> are, is where they are supposed to be, what they have
> access to and manipulate the HTTP request accordingly.
> All done within the server with no change to the
> application, no matter what language its written in.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
not sure how you propose getting the results of the authentication to the
requested application so it knows who it's talking to.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> if(request is for page that shouldn't see UEUE cookies)
> {
> strip UEUE cookies sent from browser out of request
> headers
> }
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
this doesn't keep m.e.o. account holders from reading the cookies from the
browser via javascript.
sorry to keep pulling this trump, but partially filling the holes mean we
still have a hole that can be exploited.
keep the ideas coming.
thanks,
.jeff
http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/
More information about the thesite
mailing list