[OSM-dev] API authentication
frederik at remote.org
Mon May 14 02:03:20 BST 2007
> Some quick tests and it looks trivial to be able to restrict API
> authentication to just POST/DELETE/whatever requests.
> What does this mean?
First of all, it saves an extra HTTP roundtrip in many cases (initial
JOSM downloads etc), so thumbs up.
> If JOSM or $EDITOR were to set Accept: headers on their request then
> they could be given text/xml OSM data. If Accept: wasn't present
> then, say, JSON could be returned or text/html.
Cool, and Accept: application/pdf would return a PDF atlas ;-)
However, many browsers natively accept XML data and display it in an XML
viewer. Firefox, by default, sends:
So the Accept: header alone is probably not suitable for selecting what
to deliver, unless we would define a special OSM MIME type
(application/osmxml or whatever).
> The simplest possible thing that could work as a first step is to
> turn off requiring authentication for GET requests. I haven't just
> done it in case it horribly breaks some client or other
Most clients probably use some sort of abstraction lib that does
everything magically anyway, i.e. $CLIENT provides password to $LIBRARY
which sentds it to the server if the server so desires, and $CLIENT
won't even notice your change.
Frederik Ramm ## eMail frederik at remote.org ## N49°00.09' E008°23.33'
More information about the dev