David
Thu Jan 10 06:47:03 CST 2008
On Jan 8, 12:44=A0pm, TonyV <kingskip...@gmail.com> wrote:
> On Jan 8, 2:45 pm, "Rick Barber" <r...@orcsweb.com> wrote:
>
> > Hi,
>
> > Is there a specific reason you need to do it like that? =A0I usually app=
roach
> > it the opposite way and give anonymous access to the main site, and then=
> > only require a login to those areas of the site that I want secured. =A0=
The
> > logged in user still has access to the anonymous areas of the site but
> > people aren't prompted just to get to the main public-facing site.
>
> > --
> > Rick Barber
>
> What I'm trying to do is to create a page that displays information to
> the public-at-large. =A0(Well, the public-at-large on our corporate
> Intranet, anyway.) =A0If a user is one of a predefined list of editors,
> however, I'd like for editing controls to show up on the page.
>
> I'm trying to make the page as smart as possible. =A0If a person is an
> editor, they shouldn't have to go to a separate URL to edit the
> information, they should be able to right there in-place on the page
> itself. =A0If they're not, they should just see the information without
> having editing controls that would only say that they're denied
> access.
>
> An added complication is that some people will be browsing the page
> with their Blackberries, which doesn't automagically authenticate
> users like IE does (the browser that will normally be used by the
> editors). =A0Editors won't be editing pages on their Blackberries,
> though, so if they access the page via a Blackberry, it's perfectly
> fine for them to see the same page that the public-at-large does.
>
> So ideally, IIS would check to see if the user is authenticated using
> IE's automagic authentication system, where you're not prompted with a
> username or password. =A0If that information isn't available, then and
> only then would it bail out to anonymous access. =A0Plus, I've gotta
> admit, I'm a little curious as to why the anonymous access and
> integrated Windows authentication boxes are checkboxes instead of
> radio buttons if, as it appears to me, it will always be either one or
> the other.
The reason that authentication protocols are checkboxes instead of
radio buttons is this:
1. By specification, Clients can choose to authenticate using any of
an arbitrary number of protocols. Almost all Clients choose anonymous
authentication by default.
2. By specification, Servers can choose to require authentication
through any number of authentication protocols. You control the
requirement through the check boxes
3. Thus, while a particular client-server interaction will select a
single agreed-upon authentication protocol (you mistake this to mean a
radio-button choice), the selected protocol can certainly change for
server interactions from client to client (this is why it's a check-
box choice for the server)
In other words, you configure via checkboxes to tell the server
"please require authentication of EITHER Anonymous OR Integrated from
the Clients" (check-box). When clients make the first request to the
server, they have to choose some authentication protocol, and most
choose Anonymous (no authentication) by default. Thus, if anonymou is
checked, you are guaranteed that clients will use anonymous even if
other authentication protocols are configured -- that's just how the
web works.
So you see, reality works very differently from what you imagine.
Servers like IIS do not check on the client's authentication status
and act accordingly. HTTP is a client-pull model, not server-push
model. Servers can only make requirements of authentication AFTER
being contacted by a client, and client can choose to fulfill them or
not, and the fulfillment can be via auto-login.
I think Kristofer's explanation is spot on.
Over the years, lots of people have asked for this sort of "fallback
authentication protocol" where users authenticate to IIS by default
and on failure, fallback to anonymous access. The user usually want to
have a single website with pages that give multiple user experiences
-- a basic one for the anonymous, and an enhanced one for the
authenticated user based on some authorization profile. This is
basically what you are trying to do.
However, there is no public authentication protocol that works like
this, and for good reason -- the protocol is flawed. For example, how
can such a protocol distinguish between "failed login so should give
degraded experience" vs "failed login because of mistaken auto-login
so should try again for enhanced experience".
I know you are trying to make the page "smart", but what you are
really doing is muddling the boundary between AuthN (authentication)
and AuthZ (authorization). You are not alone, but just because you
have company does not make your desire any more reasonable.
The solutions are as Kristofer says -- either:
1. Authentication everyone, then Authorize users to be able to edit
2. Make users click a link to initiate authentication and
authorization to edit
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//