An Authentication Framework

Authentication baked into the framework

All the frameworks I’ve looked at have poor authentication support. Some don’t have an authentication framework at all. Some support HTTP Basic Auth or HTTP Digest Auth. Others support form-based login withought HTTP auth.

Using form-based authentication is preferred for Web applications because you have complete control over the user experience. You can change the appearance of the login form; you can change the number and type of input fields; you can do anything.

HTTP Authentication has the advantage of simplicity. You can use HTTP auth to secure a folder on your Web server with only a few configuration parameters. You also have a surprising amount of flexibility with HTTP auth: your user records can be stored in a DB or in LDAP or in a flat file.

Authentication in an Ajax world

I’ve been working with TurboGears lately to build out the server-side of the CMS. One of TurboGear’s halmark features is the ability to seamlessly return either XHTML or Javascript objects in JSON format. That’s huge if you’re working with Ajax like I am. When you combine the JSON data with my DHTML Bindings Framework, you’ve got a really powerful toolset.

Ajax demands greater flexibility from authentication frameworks.

If you’re using Ajax with form-based authentication, what do you do if the user’s session expires and you need to redirect him to a login screen? I suppose you could send the HTML for the login screen back instead of JSON formatted objects, but your client-side code would have to be very smart.

Ideally, when building an Ajax application, you would respond with an HTML form for authentication when the browser requests an HTML page and an HTTP authentication error code when the browser uses an XMLHttpRequest to fetch a resource.

It’s no secret that I’m not a fan of any of the big free (or reasonably free, like MovableType) content management systems. They all lack something. Possibly, what they really lack is the key ingredient that 37signals has added to all of their products: simplicity.

I’m going to build my own content management system. I’ll join the horde of open source (I suspect) CMSs. But I hope to be different, however, I’m not going to give away my secrets now.

Now I want to talk about authentication for Web applications. Read An Authentication Framework »

Ajaxian Limitation

I was just thinking about adding another Ajax-y feature to the site when it occurred to me: I can either return JavaScript or HTML but not both.

Typically when returning HTML using an XMLHttpRequest object I set the innerHTML property of a div on the page with the result (provided the operation was successful). But I’m willing to bet that any scripts contained in that HTML doesn’t get interpreted.

Let’s find out… Read Ajaxian Limitation »

Search via Ajax

Thanks to a kind mention by Josh Porter, I’ve seen something of a spike in traffic. And a lot of it has come from links relating to AJAX.

I’m actually working on a cool AJAX demo and the search tool on this site was just a quick hack. In case you’re interested in how it works, here’s a quick tutorial. Read Search via Ajax »