I got a *subscription renewal* invoice from Element K Journals in the mail today for Inside Microsoft Windows Server Security, Windows Security Online Answers On-Demand Service, and Microsoft Windows Server Security Discussion Forum.
Both of you who regularly read this site know I am neither a fan of Microsoft or their craptacular operating system. So it shouldn’t come as any surprise that I’ve never subscribed to these journals.
This is a scam. Plain and simple.
The hope of the bastards at Element K Journals is that the spouse of the geek will simply pay the bill. When the unwanted (and probably worthless) “journals” begin to arrive, it will be *surprisingly* difficult to correct the mistake.
Because the scam artist are located in Rochester, NY, I think I may forward the information along with my concerns to Elliot Spitzer’s office. I know this is a small-time deal for him, but he might have a minor minion who would be interested enough to *look into it*.
OK. Now I get it. The whole Bundles thing hasn’t got really good usability, but it certainly is powerful.
I’m also [doing a fail bit of Python development](http://metrocat.org/nerd/2005/10/identity-management-for-turbogears) these days. TextWrangler just doesn’t handle expanding tabs into spaces correctly, and because indentation is significant to Python, this can be a huge problem.
Now all I need do is figure out how to buy it.
I just committed the code for the TurboGears identity management support (revision 89). And because this is such new code, I thought it might be helpful to include a short How To for getting everything up and running.
This How To is written from the perspective of a fresh quick-started project, but most everything applies for existing projects.
Read Identity Management for TurboGears »
I’ve been working on an authentication system for [TurboGears](http://www.turbogears.org) and my forthcoming Content Management System.
I really wanted to support a REST interface to the admin console. For example:
GET /admin/user/jeff HTTP/1.1
Accept: text/javascript
Should return a JSON formatted object containing my user record. That actually works great.
The admin console will interact with the server by creating Ajax requests on the REST interface. Seems reasonable, right?
Except Safari translates the PUT and DELETE methods into **GET** methods. I suppose I should be happy that I can use GET and POST.
**UPDATE**: This is a known [bug in Safari’s XMLHttpRequest](http://bugzilla.opendarwin.org/show_bug.cgi?id=3812) object. Now I wonder whether it will be fixed anytime soon.
#### Authentication baked into the framework ####
All the frameworks I’ve looked at have poor authentication support. Some don’t have an authentication framework at all. Some support HTTP Basic Auth or HTTP Digest Auth. Others support form-based login withought HTTP auth.
Using form-based authentication is preferred for Web applications because you have complete control over the user experience. You can change the appearance of the login form; you can change the number and type of input fields; you can do anything.
HTTP Authentication has the advantage of simplicity. You can use HTTP auth to secure a folder on your Web server with only a few configuration parameters. You also have a surprising amount of flexibility with HTTP auth: your user records can be stored in a DB or in LDAP or in a flat file.
#### Authentication in an Ajax world ####
I’ve been working with [TurboGears](http://www.turbogears.org) lately to build out the server-side of the CMS. One of TurboGear’s halmark features is the ability to seamlessly return either XHTML or Javascript objects in [JSON](http://www.json.org/) format. That’s huge if you’re working with Ajax like I am. When you combine the JSON data with my [DHTML Bindings Framework](http://metrocat.org/nerd/2005/08/dhtml-binding-example), you’ve got a *really* powerful toolset.
Ajax demands greater flexibility from authentication frameworks.
If you’re using Ajax with form-based authentication, what do you do if the user’s session expires and you need to redirect him to a login screen? I suppose you could send the HTML for the login screen back instead of JSON formatted objects, but your client-side code would have to be *very* smart.
Ideally, when building an Ajax application, you would respond with an HTML form for authentication when the browser requests an HTML page and an HTTP authentication error code when the browser uses an XMLHttpRequest to fetch a resource.
It’s no secret that I’m not a fan of any of the big free (or reasonably free, like [MovableType](http://www.sixapart.com/movabletype/)) content management systems. They all lack something. Possibly, what they really lack is the key ingredient that [37signals](http://www.37signals.com/) has added to all of their products: simplicity.
I’m going to build my own content management system. I’ll join the horde of open source (I suspect) CMSs. But I hope to be different, however, I’m not going to give away my secrets now.
Now I want to talk about authentication for Web applications.
Read An Authentication Framework »
