Ticket #330 (closed defect: fixed)
Problem with variable loading from secure area
|Reported by:||jgou||Owned by:||jgou|
The template feature to load variable data from a URI fails when that URI is protected by the kauri-security. This occurs because the request used to load the variable data is a fresh instance, and has no associated authentication information.
I'm not really sure what the best behaviour should be. Some thoughts:
- always allow loading (bypass security)
- re-use authentication object from original call
- this should only be allowed in same auth realm
- what if authentication is obtained through method with lower level than the URI requires ?
- always return 401 unauthorized (same as now)
- make sure the security layer doesn't throw exceptions as is now the case with form-based authenticator (using src="service:/foo/bar")