Notes:
Authorization occurs on every request. bOP is sessionless. If a user
changes his password on one computer, the next request from the same
user on another computer will be unauthenticated, and the user will be
logged out.
Bivio::Agent::HTTP::Dispatcher->handler is called by apache
which invokes
Bivio::Agent::Dispatcher->process_request which is where step 1 begins.
Bivio::Agent::HTTP::Cookie delegates to
Bivio::Delegate::Cookie.
Bivio::UI::Task->parse_uri does the work of establishing
the
Bivio::UI::Facade and mapping the URI to
a task and realm. The task must have a URI in the
Bivio::UI::Task map for the particular facade or
a NOT_FOUND exception will be thrown.
Bivio::Agent::HTTP::Request->client_redirect_if_not_secure is not called if the configuration or request cannot go into SSL mode.
This happens when testing apache in single server mode or when the
task is executed from the command line or as a background job.
Any task items may throw a FORBIDDEN exception as well. These conditions
are decided on a case by case basis. Programmers should rely on the
above well-tested authorization algorithm as much as possible, however.
This authorization algorithm is for a
Bivio::Agent::HTTP::Request.
Bivio::Agent::Job::Request and
Bivio::Test::Request do not authenticate the user,
because the user is either passed on the command line or has already
been authenticated. The execution path is identical from step 5
onwards.