Open
Description
Consider NOT handling the authentication part. Just assume the server did its part and expect the header proclaiming user to equal authorized user.
Need to set up basic call-back hooks for verifying permissions for a given user. Since the "rights" storage is very specific to deployment, provide for plug-able way of calling a "rights management" code in a generic way.