We've just run a series of experiments to test how web resource access controls work for AJAX requests. The good news is that (for us, at least, using a Firefox browser and Apache server) they work just the way we want them to.
The test environment used was:
- Ubuntu 9.10 with Apache 2.2 server with mod_dav, etc., configured with ADMIRAL user accounts
- Ubuntu 9.10 Firefox 3.5.9
- Shuffl development code
We copied the Shuffl source code into a WebDAV-enabled area of the file server, modified one of the Shuffl demo applications to register a WebDAV storage handler, and loaded the demo application workspace in a browser.
We were able to:
- save a modified workspace into a non-access-controlled WebDAV directory without entering any user credentials,
- save a modified workspace into an access controlled directory on entering appropriate user credentials,
- access but not modify files in a user's directory when authenticated as the research group leader.