Thursday 29 April 2010

Web resource authentication and AJAX (WIN)

We've just run a series of experiments to test how web resource access controls work for AJAX requests. The good news is that (for us, at least, using a Firefox browser and Apache server) they work just the way we want them to.

The test environment used was:

  • Ubuntu 9.10 with Apache 2.2 server with mod_dav, etc., configured with ADMIRAL user accounts
  • Ubuntu 9.10 Firefox 3.5.9
  • Shuffl development code

We copied the Shuffl source code into a WebDAV-enabled area of the file server, modified one of the Shuffl demo applications to register a WebDAV storage handler, and loaded the demo application workspace in a browser.

We were able to:

  • save a modified workspace into a non-access-controlled WebDAV directory without entering any user credentials,
  • save a modified workspace into an access controlled directory on entering appropriate user credentials,
  • access but not modify files in a user's directory when authenticated as the research group leader.
Further, we observed that, when logged in as one user, attempts to access the area of another user was refused until correct credentials were provided.

We had anticipated that the AJAX calls might require authentication by the Javascript code if the required authentication cookies were not already established when loading the web page. The plan was to ensure that the application web page would be protected so that user credentials would be required when loading that page. As it turns out, even this simple step is not needed.

No comments:

Post a Comment