I'm exploring the possibility of implementing RESTFUL services from a Shibboleth (http://shibboleth.net/) protected site. So far what that means to me is that I have to support at a minimum Cookies, and. Basic Authentication. I'm still trying to conceptualize the process so please help me fill in the holes.
My reading has lead me to the Apache HTTP core client (http://hc.apache.org/) which seems like a very nice implementation of almost everything I need.
My current stumbling block is understanding the warnings in their documentation about the security problems with "preemptive authentication". They say:
HttpClient does not support preemptive authentication out of the box, because if misused or used incorrectly the preemptive authentication can lead to significant security issues, such as sending user credentials in clear text to an unauthorized third party. Therefore, users are expected to evaluate potential benefits of preemptive authentication versus security risks in the context of their specific application environment.
I take that to mean that it is good practice to try to connect, wait for a 401-Authentication required, somehow decide if you really, really want to send the requestor the user's password then what? I think I then ask the user for their username/password and make the same request with preemptive authentication. I do not see a way to reply directly to the 401 response.
The other buggaboo is that I really don't know of a way to check anything about the server. There are multiple redirects in sign-on process with the first one possibly using http. The rest use https and I think having valid certificates is enough. It is up to the server to decide which Identity Provider the log in requests are routed to.
So how do you handle 401 responses?
It's not what your program can do, it's what your users do with the program.