W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

RE: proxies rewriting URLs

From: Paul Leach <paulle@microsoft.com>
Date: Mon, 11 Mar 96 10:33:49 PST
To: john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960311182637MTP[01.52.00]000000b1-139534
----------
] From: John Franks  <john@math.nwu.edu>
] Date: Sunday, March 10, 1996 4:41PM
]
] On Fri, 8 Mar 1996, Paul Leach wrote:
]
] > Any digest that included the URI would be wrong if the URI is munged by
] > the proxy. It would break Digest Authentication, for example.
]
] Actually, a proxy munging the URL will cause no problem for digest
] authentication.  The URL is duplicated in the uri field of the
] authentication header to deal with exactly this issue.  Of course,
] if a proxy munges the Authorization: header then there will be
] problems.

Interesting.  What happens if I  do this:
	GET /secret.txt HTTP/1.1
	Authorization:  uri="/public.txt",
	 username="fred", realm="www.foo.com",
	 nonce="deadbeef", response="0123456789abcdef0123456789abcdef"

If the server checks the authorization header and its URI, but then 
uses the URI from the Request-URI in the request line, the whole 
exercise will have been wasted.
And if proxies are allowed to munge the URI in unknown ways, the server 
can't compare the request-URI with the uri in the Authorization header.

The Digest draft should say the the server MUST use the URI from the 
Authorization header, as that is the only one that has been authenticated.

Paul
Received on Monday, 11 March 1996 10:35:56 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:48 EDT