[plt-scheme] Looking for a security consultant with PLT web server experience

From: Jay McCarthy (jay.mccarthy at gmail.com)
Date: Mon Oct 5 17:05:10 EDT 2009

You would not need your own dispatcher and works with all auth.

Pseudo-code...

(define current-user ...)

...

(define prev-user (current-user))
(define unauthed-req (send/suspend ...))
(if (has-authenticator? unauthed-req prev-user)
    (continue)
    (with-authentication
      (cond
       [(equal? prev-user (current-user))
        (continue)]
       [(has-access? (current-user) continue)
        (continue)]
       [else
        (access-denied+restart-ui)])))

Jay

On Mon, Oct 5, 2009 at 2:37 PM, YC <yinso.chen at gmail.com> wrote:
>
> On Mon, Oct 5, 2009 at 4:44 AM, Jay McCarthy <jay.mccarthy at gmail.com> wrote:
>>
>> This, in general, is the method I advise. However, the comment that
>> "This doesn't allow people to, say, email URLs to one another." is not
>> exactly true even when you aren't using the URL dispatcher. The
>> continuation will always be invoked, but if there is extra
>> authentication then it will perform that before doing work. When the
>> authentication isn't there, it doesn't need to just error; it can
>> request authentication and then resume the previous user's computation
>> if it is appropriate. (For example, if the previous continuation was
>> changing the password, then new authentication doesn't allow it, but
>> if it is looking a paper review, then the new authentication would
>> consult the ACL to decide if the paper review should be displayed and
>> maybe it can.)
>>
> Jay -
>
> this is interesting - do you need to write your own dispatcher to make this
> work?  Also - does it work with form-based auth?
>
> Thanks,
> yc
>
>



-- 
Jay McCarthy <jay at cs.byu.edu>
Assistant Professor / Brigham Young University
http://teammccarthy.org/jay

"The glory of God is Intelligence" - D&C 93


Posted on the users mailing list.