Re: Basic Authentication behavior

On Mon, 8 Sep 1997, Foteos Macrides wrote:

> 
> 	The actual URL in your test suite is:
> 
> 	http://digest-test.agranat.com/171503568/basic_multiple/step2.html
> 
> which matches my "libwww heritage" UA's template, "/2887613/basic_multiple/*"
> for Basic realm "basic_m1", so it sends the seemingly appropriate (but from
> your perspective, inappropriate) WWW-Authenticate request header for that
> Basic realm,[...]

Is this a typo?  /171503568 doesn't match /2887613.  I don't know if
any browsers would try the same credentials for these two quite
different URL's.  But this is an issue Scott's test doesn't cover.


> [...] That particular implied/inferred template "trick" carries
> with it the "security risk" (assume https URLs so you don't miss
> the point simply because it's Basic Access Authentication) that
> providers not aware of it might assign two resources intended to
> be in different Basic realms to symbolic URL paths which yield the
> same implied/inferred template, as you are doing in your test, and
> those two resources are managed by different "providers" at that
> host, who should not be getting each others' authentication info.
 
I think it is always risky to have two authentication realms on the
same server managed by different "providers" as one could simply claim
to be in the realm of the other.  The spec says:

  "The realm value (case-sensitive), in combination with the canonical
  root URL (see section 5.1.2) of the server being accessed, defines the
  protection space."

and I interpret this to mean the realm + hostname part of the URL
determine the protection space.  Even if the template behavior you
describe is common, some browsers might not provide it.

> 
> John Franks <john@math.nwu.edu> wrote:
> >I believe that there is common current practice which is different from
> >this, but I think there is no need to discuss the algorithm the client
> >uses to pick the template as that is an implementation decision.
> >
> 	John does not spell out that other "common current practice".
> I don't know if those UAs pass Scott's test.  


I believe that current Netscape browsers after successfully supplying
credentials for http://host/foo/index.html will use a "template"
more like "/foo*/*".  In particular they will send the same 
credentials for a request to http://host/foobar/index.html.



John Franks 	Dept of Math. Northwestern University
		john@math.nwu.edu

Received on Monday, 8 September 1997 12:40:46 UTC