[
Lists Home |
Date Index |
Thread Index
]
On Wed, Apr 13, 2005 at 10:54:26PM -0400, Rich Salz wrote:
> As I understand it, HTTP auth is somewhat extensible. A client
> can make a request, and the server can respond with a challenge.
> The client uses that challenge to authenticate itself, re-issue
> the request, and verify the server's identity.
>
> How can the client get the server's identity before sending any
> "real" data? A well-known URI or a new method? How can the server
> challenge the client to prove it's identity without requiring state
> on the server?
>
> I believe the very statelessness of HTTP and REST makes it
> impossible.
Architectural constraints such as statelessness, are constraints on
form, not function; what you're talking about *is* possible. The
issue will be whether the larger message size in the stateless
solution will be acceptable or not. How much state are you're talking
about?
Mark.
--
Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca
|
