W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: More comments on draft-ietf-http-authentication-01.txt

From: Gisle Aas <gisle@aas.no>
Date: Mon, 6 Apr 1998 11:51:53 +0100 (BST)
To: "Life is hard... and then you die." <Ronald.Tschalaer@psi.ch>
Cc: GISLE@aas.no, HTTP-WG@cuckoo.hpl.hp.com
Message-Id: <m3ra3b47lx.fsf@furu.g.aas.no>
Ronald.Tschalaer@psi.ch (Life is hard... and then you die.) writes:

> > 2) How to interpret the URIs in the 'domain' attribute of the Digest
> > WWW-Authenticate is not clear to me either.  Are the URIs in this
> > list path prefixes that define protection spaces or must there be
> > an exact match.  If it is a prefix, what happens if the URI contains a
> > query part.
> 
> An exact match.

Would not that make this attribute too long to be useful for any real
use?  If you try to protect one specific server script you have to
make a domain attribute that lists all possible parameters (query
part) that this script takes.


> > 3) Section 3.6 does not seem to know about the "407 Proxy
> > Authentication Required" status code.  I though that a
> > "Proxy-Authenticate" header could only be present in a 407 response.
> > That is at least how I read <draft-ietf-http-v11-spec-rev-03>.  I
> > would like this paragraph to go away (it would complicate my
> > implementation if it stays):
> > 
> >   Note that in principle a client could be asked to authenticate
> >   itself to both a proxy and an end-server. It might receive an
> >   "HTTP/1.1 401 Unauthorized" header followed by both a WWW-
> >   Authenticate and a Proxy-Authenticate header. However, it can
> >   never receive more than one Proxy-Authenticate header since such
> >   headers are only for immediate connections and must not be passed
> >   on by proxies. If the client receives both headers, it must
> >   respond with both the Authorization and Proxy-Authorization
> >   headers as described above, which will likely involve different
> >   combinations of username, password, nonce, etc.
> 
> How come this would complicate the implementation? Instead of doing
> 
>   if (status == 401)
>       handle_auth_header
>   if (status == 407)
>       handle_proxy-auth_header
> 
> it becomes
> 
>   if (status == 401)
>       handle_auth_header
>       handle_proxy-auth_header
>   if (status == 407)
>       handle_proxy-auth_header

The problem for me is that handle_auth_header() will actually send a
follow-up request (usually after asking the user for a new
username/password).  I just have to rethink how to deal with this I
guess.


> Actually, now that you mention it, I'm not even really sure why the 407
> is needed at all. The Authorization vs. Proxy-Authorization header gives
> you enough info on where the challenge is coming from. Can anybody shed
> some light on why 407 exists?

Perhaps some old clients that get confused if they get a 401 without
any WWW-Authenticate?


> I think there is a problem with the nonce-count and the MD5-sess
> implementation. Assuming that _set_authorization is only called upon
> receipt of a Authentication or Proxy-Authentication header (i.e. it's
> not used for preemptively sending auth info) you need the following
> changes:

The intent is to use it preemptively (assuming that you by this mean
to send a Authentication to a URL before having seen any
WWW-Authenticate for it).  Is there problem with this?

This also brings up another question on how nonce-count and domain
interact.  If you have a Digest space that spans several servers,
should the nonce-count be incremented seperately for these servers or
should they share it?

Regards,
Gisle
Received on Monday, 6 April 1998 06:15:02 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:14 EDT