- From: Gisle Aas <gisle@aas.no>
- Date: Mon, 6 Apr 1998 11:51:53 +0100 (BST)
- To: "Life is hard... and then you die." <Ronald.Tschalaer@psi.ch>
- Cc: GISLE@aas.no, HTTP-WG@cuckoo.hpl.hp.com
Ronald.Tschalaer@psi.ch (Life is hard... and then you die.) writes: > > 2) How to interpret the URIs in the 'domain' attribute of the Digest > > WWW-Authenticate is not clear to me either. Are the URIs in this > > list path prefixes that define protection spaces or must there be > > an exact match. If it is a prefix, what happens if the URI contains a > > query part. > > An exact match. Would not that make this attribute too long to be useful for any real use? If you try to protect one specific server script you have to make a domain attribute that lists all possible parameters (query part) that this script takes. > > 3) Section 3.6 does not seem to know about the "407 Proxy > > Authentication Required" status code. I though that a > > "Proxy-Authenticate" header could only be present in a 407 response. > > That is at least how I read <draft-ietf-http-v11-spec-rev-03>. I > > would like this paragraph to go away (it would complicate my > > implementation if it stays): > > > > Note that in principle a client could be asked to authenticate > > itself to both a proxy and an end-server. It might receive an > > "HTTP/1.1 401 Unauthorized" header followed by both a WWW- > > Authenticate and a Proxy-Authenticate header. However, it can > > never receive more than one Proxy-Authenticate header since such > > headers are only for immediate connections and must not be passed > > on by proxies. If the client receives both headers, it must > > respond with both the Authorization and Proxy-Authorization > > headers as described above, which will likely involve different > > combinations of username, password, nonce, etc. > > How come this would complicate the implementation? Instead of doing > > if (status == 401) > handle_auth_header > if (status == 407) > handle_proxy-auth_header > > it becomes > > if (status == 401) > handle_auth_header > handle_proxy-auth_header > if (status == 407) > handle_proxy-auth_header The problem for me is that handle_auth_header() will actually send a follow-up request (usually after asking the user for a new username/password). I just have to rethink how to deal with this I guess. > Actually, now that you mention it, I'm not even really sure why the 407 > is needed at all. The Authorization vs. Proxy-Authorization header gives > you enough info on where the challenge is coming from. Can anybody shed > some light on why 407 exists? Perhaps some old clients that get confused if they get a 401 without any WWW-Authenticate? > I think there is a problem with the nonce-count and the MD5-sess > implementation. Assuming that _set_authorization is only called upon > receipt of a Authentication or Proxy-Authentication header (i.e. it's > not used for preemptively sending auth info) you need the following > changes: The intent is to use it preemptively (assuming that you by this mean to send a Authentication to a URL before having seen any WWW-Authenticate for it). Is there problem with this? This also brings up another question on how nonce-count and domain interact. If you have a Digest space that spans several servers, should the nonce-count be incremented seperately for these servers or should they share it? Regards, Gisle
Received on Monday, 6 April 1998 06:15:02 UTC