302 Part II: Developing an Ajax Library^
no different in their general approach to authentication. However, like many aspects of
Ajax technologies, there is theory and perception, and then there is the harsh reality of
implementation.
Traditionally Web applications employ one of two forms of authentication. The first
is the built-in HTTP authentication provided by browsers that comes in two general
implementations: basic and digest. The second is what is often dubbed custom-authentication,
cookie-authentication or form-based authentication.
Both approaches have their pros and cons. While standard HTTP authentication lacks
customization, has logout problems, and can be highly insecure in some forms, it is more
RESTful and enjoys some security benefits missing from the alternative. While custom
form-based authentication systems are certainly more customizable, it does take work to set
them up. The technique also suffers from a lack of degradability when cookies are rejected,
and it has security concerns of its own.NNOT EOTE REST (Representational State Transfer) describes a method of Web application design that
works with HTTP and URLs so that RESTful applications blend naturally into the architecture
of the Web and can be utilized by a variety of user-agents including bots and other programs.
More information about this pattern can be found online (http://en.wikipedia.org/wiki/
Representational_State_Transfer) and it is employed in many examples in Chapter 9.HTTP Authentication under Ajax
Using basic authentication, a resource on the server may be protected by issuing some
directives. For example, on Apache, the entries below indicate that a particular directory is
protected.<Directory /u/www/sites/ajaxref.com/ch7/protectedbasic>
AllowOverride AuthConfig
AuthType Basic
AuthName "Secure Basic"
AuthUserFile "/home/ajaxref/htpasswd"
Require user AjaxBasic
</Directory>While on IIS, Basic authentication can be set using the IIS manager.