Item6023: REST handlers give error instead of redirecting to login topic

Priority: Normal
Current State: No Action Required
Released In:
Target Release: n/a
Applies To: Engine
Reported By: TWiki:Main.ThomasWeigert
Waiting For:
Last Change By: CrawfordCurrie
REST handlers do not behave the same way as scripts with respect to authentication. When I try to do something in a script that requires authentication, then the script can redirect to authentication page (if template login is selected) or use other authentication.

However, in a REST handler it appears that we need to be authenticated to execute the REST handler, and we immediately get an error if that is not the case.

I am not sure whether that has to be this way, but it is not good. We are giving users browser errors, where we should ask them to login/register.

I consider this a serious problem, in particular as we seem to drive towards replacing some scripts by REST handlers.

-- TWiki:Main/ThomasWeigert - 26 Sep 2008

That's exactly how RESTful behavior should be, though. Anything else is a violation of HTTP standards, which are important to REST.

I'd actually be happier if TWiki returned a proper 404 on nonexistent pages instead of the "200 Yeah We Don't Have That But Here's A Form To Create It" it now returns, which gives Googlebot and friends the wrong impression.

-- TWiki:Main.KarenCravens - 26 Sep 2008


It should be possible to have authorized and unauthorzied access to a REST handler. But in either cases the handler should respond with proper http codes.

I only expect machines to call REST handlrers, not humans. If a user gets a browser error page, thats a problem of the application calling the handler.

-- TWiki:Main.OliverKrueger - 26 Sep 2008

The difficulty is that people have started using REST handlers where in the past we would have had scripts, such as putting them as the actions that get invoked when when executing a form, for example, or clicking a button. There has been some rumour that we are supposed to rewrite all scripts as REST.

But the current system works so that scripts can authenticate after being invoked. I cannot quite imagine how you could authenticate before you call REST when the REST call is on a form, for example, unless we ensure that a user is always logged in.

-- ThomasWeigert - 28 Sep 2008

Duplicate of Item4929 - please follow up there

-- CrawfordCurrie - 04 Jan 2009

ItemTemplate edit

Summary REST handlers give error instead of redirecting to login topic
ReportedBy TWiki:Main.ThomasWeigert
SVN Range TWiki-5.0.0, Tue, 23 Sep 2008, build 17539
AppliesTo Engine
Priority Normal
CurrentState No Action Required
Checkins ClassificationPlugin:0cdaa08b72d0
TargetRelease n/a
Topic revision: r6 - 04 Jan 2009, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy