[plt-scheme] Web server authorisation

From: Don Felgar (dfelgar at rainier-infosys.com)
Date: Mon Oct 27 12:50:10 EST 2003

On Sun, Oct 26, 2003, Noel Welsh wrote:
>   For list-related administrative tasks:
>   http://list.cs.brown.edu/mailman/listinfo/plt-scheme
> A question about the web server:
> I see there is a function, extract-user-pass, to get
> usernames and passwords for HTTP headers.  If you
> create a .htaccess file and have the correct
> configuration Apache will send an HTTP authorisation
> response whenever you attempt to access the protected
> resources.  Web browsers recognise this and pop up a
> little login box.  Is there any function or
> configuration to send the appropriate response from
> the PLT web server?

Extract-user-pass extracts and returns the username/password from the
headers or returns #f if not found.  Your code would have to make an
authorization decision based on the return from extract-user-pass.  I
always prefer to have a login page rather than using header-based
authentication.  Email if you would like sample code.  In case you
haven't tried it before, authentication is really nice with servlets.
The user authenticates to enter the main loop of the servlet, and you
store session data in a variable rather than a state table, eg:

 (define (main)
   (let ((session (authenticate-user-loop "hh_demo")))
     (let loop ((request initial-request))
       (loop (make-page session request)))))

> What if I want authorisation to operate over https for security?
> Can I configure certain pages to be sent over secure connections
> only?

I don't know the answer, but you might consider running different
web-servers on ports 80 and 443 anyway.  Different document roots may
make data protection easier.

> In the documentation a send/back function is mentioned
> in association with report-errors-to-browser, but this
> function is not documented in the rest of the
> documentation.

Greg Pettyjohn <gregp at ccs.neu.edu> tells me that he is the one with
whom to discuss documentation bugs.  I believe he is the web-server
Honcho.  From looking at the code in web-server-unit.ss, it seems that
send/back sends a page to the client, and then if there are any
continuations left in the state table, revert back to the last one, or
if not, exit the servlet.  There is also a send/forward, which may be
still undocumented as well.  It persists the current servlet, but
purges all its stored continutations.

> Thanks,
> Noel

> Exclusive Video Premiere - Britney Spears
> http://launch.yahoo.com/promos/britneyspears/

At long last.

Posted on the users mailing list.