Web Authorization Problem
- HTTP is “stateless” - there is no such thing as logging on.
- So… HTTP includes a mechanism where the web server can challenge for a credential (401 not authorized message), causing the browser to display a dialog box prompting for username/password. If accepted by the server, the browser begins transmitting this credential in the WWW-Authenticate header field for each request.
- But... HTTP deliberately makes it impossible for a 3rd-party server (Library System) to send the credential for another server (Vendor System).