On 10/24/12 8:58 PM, Ross Singer wrote:
> On Oct 24, 2012, at 6:06 PM, Gary McGath <[log in to unmask]> wrote:
>
>> On 10/24/12 4:00 PM, Ross Singer wrote:
>>> On Oct 24, 2012, at 3:48 PM, Gary McGath <[log in to unmask]> wrote:
>>>
>>>> With AJAX, a resource can be brought up by refreshing part of an
>>>> existing page rather than as a whole new page. If the page is expecting,
>>>> for example, a JPEG image, and the request for the image is redirected
>>>> to a login page because it's restricted, then the page won't get back an
>>>> image, but instead will get back the HTML for the login page. The HTML
>>>> <img> tag can't do anything with this, and it will merely fail to
>>>> display the image.
>>>>
>>>
>>> What does this have to do with discovery interfaces?
>>
>> The issue is generic to any web application that has a mix of public and
>> restricted resources and may encounter restricted ones at unexpected
>> times, such as was being discussed with discovery interfaces.
>>
> The discovery interface knows what is restricted.
>
> That's why it's saying you don't have access to them until you log in.
Agreed.
>>> Also, why wouldn't your AJAX-enabled app be prepared for such an event?
>>
>> Are you asking how an AJAX-enabled application can handle such cases?
>
> No, I know how an AJAX-enabled application should handle such cases,
> I'm saying why, if you're implementing an AJAX-enabled application,
> why you think this would be an issue. Because I just don't see this
being an issue.
This has always been a tricky thing to explain; it's not just you, if
that's any consolation. Someday I'll figure out how to make it clear on
the first try. The point is that if a service redirects to a login page,
it assumes the browser can display the login page. Normally this is
true, but only if the resource would be delivered as a web page. AJAX
components are received as elements, not pages.
If you like, I can go into more detail off-list. This is really too much
of a side technical issue to be worth taking up a lot of space on the list.
>
>> I'm not sure this is the appropriate venue for getting into the
>> technical details, and I've encountered the problem without having
>> managed to implement a solution, but I'll briefly cover how I'd attack
>> the problem.
>>
>> If the resource redirects to an HTML login page, the Ajax code can't
>> make any sense of that, so it can't be "prepared for such an event."
>
> Sure it can. I mean, no matter what, you're constrained by same origin policy, so any 'login' is going to be something local, so it seems pretty easy to account for.
It's a matter of the difference between, for example, the src attribute
of an <img> tag and a web page. Again, I don't want to turn this into a
full-fledged programming discussion on-list.
>
> Bringing JSONP and CORS into the mix doesn't really change anything, as I can't imagine you're just blindly pulling in content from some external site.
>
>> However, if the response has an HTTP code indicating that authentication
>> is required, the Ajax error handler can dispatch on the code and
>> dispatch an event which is handled at the page's top level, forcing the
>> whole page to redirect to the login. This is doable but a bit messy and
>> reduces the value of AJAX. Giving an indication that not all resources
>> could be loaded and providing the option to log in is cleaner.
>
> AJAX isn't some magical potion that eliminates the need to plan and engineer
> your app. I don't think 'accounting for the web being a messy place'
> reduces the value of AJAX. It means you have to earn your keep. You
> know, as a professional software developer.
I've been trying to respond to you seriously, but at this point you're
really starting to sound like a troll. Addressing a technical issue by
saying "you have to earn your keep" is no answer at all, particularly
when you aren't paying me.
>>> There are lots of things everywhere (not just library-related) that require logins. The internet hasn't broken as a result.
>>
>> I'm afraid I don't understand how this relates to what I was discussing.
>
> Which goes back to how I don't understand what AJAX has to do with the fact that some things aren't, by default, being displayed in discovery interfaces.
>
>> I didn't deny either of those points (though the Internet is always in a
>> partly broken state). By "require login," do you mean "automatically
>> redirect a request for a restricted resource to a login page"? I find
>> that's more the exception than the rule.
>>
> Depends. There's tons of content that requires a login to see: stuff in VLEs;
>Facebook statuses; corporate intranets; Pinboard bookmarks; subscriber
paywalls;
>etc. I think there's no end to the creative ways that developers and
designers
>block public access to things.
Then why are you so insistent on auto-redirect as the only way to do it?
I can't check every one of the things you mention, but Facebook statuses
in particular do _not_ auto-redirect to a login page.
Perhaps you really don't understand the difference between
auto-redirecting a resource to a login page and having a login link or
button on a page indicating content is unavailable. In that case, I have
to recommend you get better informed on basic concepts of access
restriction.
I will not discuss this further on-list.
--
Gary McGath, Professional Software Developer http://www.garymcgath.com
|