Authorization Algorithm

Notes:

Authorization occurs on every request. bOP is sessionless. If a user changes his password on one computer, the next request from the same user on another computer will be unauthenticated, and the user will be logged out.

Bivio::Agent::HTTP::Dispatcher->handler is called by apache which invokes Bivio::Agent::Dispatcher->process_request which is where step 1 begins.

Bivio::Agent::HTTP::Cookie delegates to Bivio::Delegate::Cookie.

Bivio::UI::Task->parse_uri does the work of establishing the Bivio::UI::Facade and mapping the URI to a task and realm. The task must have a URI in the Bivio::UI::Task map for the particular facade or a NOT_FOUND exception will be thrown.

Bivio::Agent::HTTP::Request->client_redirect_if_not_secure is not called if the configuration or request cannot go into SSL mode. This happens when testing apache in single server mode or when the task is executed from the command line or as a background job.

Any task items may throw a FORBIDDEN exception as well. These conditions are decided on a case by case basis. Programmers should rely on the above well-tested authorization algorithm as much as possible, however.

This authorization algorithm is for a Bivio::Agent::HTTP::Request. Bivio::Agent::Job::Request and Bivio::Test::Request do not authenticate the user, because the user is either passed on the command line or has already been authenticated. The execution path is identical from step 5 onwards.