The experience I have had with AOLServer was exactly what I was concerned about. After doing some other testing it appears that passing the authenticated user_id in the query string is working just fine for a POST. I have set up the ns_register_filter postauth with a * in the place of the method and it is working for both POST and GET. I am expecting it to work for all methods.
GET and POST requests are working well, but we have encountered a problem with a PUT request.
In the callback proc I am obtaining the user_id, to send onto the other server, via a call to [auth::require_login]. This is not working in the case of PUT. With a PUT request the user_id is not obtained inside of the [auth::require_login] via the call to [auth::get_user_id ...]. It returns 0 even though a successful GET or POST was just performed so I know I am logged in. (A subsequent POST after the failed PUT works fine as well.) The cookies are all sent the same as well.
Inside the [auth::require_login] after [auth::get_user_id ...] returns 0, a call to [ad_conn auth_level] is made and fails with an error stating that "auth_level" is not a valid option. This is true. I cannot find "auth_level" as a valid option in ad_conn nor in ns_conn so I do not understand how this call ever succeeds, even though I can call [ad_conn auth_level] from the shell and it returns "ok". This is baffling to me.
With all of this said, is there something different about the PUT method that is different from a GET and POST that would cause the request processor to not authenticate the user (as well as cause auth::require_login to fail)? Is there a way to overcome this?
Thanks,
-Tony