- From: David Morris <dwm@xpasc.com>
- Date: Thu, 23 Oct 2003 09:54:30 -0700 (PDT)
- Cc: <ietf-http-wg@w3.org>
On Thu, 23 Oct 2003, Scott Lawrence wrote: > > In any event, proxy2 is incorrect to associate the connection with > the authentication of the first request on that connection; all requests > are stateless, including authentication attributes. Each request must > be authenticated on its own - this is _not_ one of the _actual_ benefits > of persistent connections. I don't recall how it was determinted that Proxy1 was forwarding proxy authentication headers to Proxy2. Sans a tcp/ip trace or comprehensive logs, I would postulate that the described behavior would occur with both proxy1 and proxy2 working as Dave and Scott have described is required: a. User1 sends request to Proxy1 and proxy authenticates with Proxy1 which User1 is authorized to do. b. Proxy1 sends the request to Proxy2 and subsequently authenticates itself (proxy1) to Proxy2. c. User1 gets the expected response from Server via the proxy chain. d. User2 sends request to Proxy2 and proxy authenticates with Proxy1 which User2 IS authorized to use. e. Proxy1 now sends the request to Proxy2 and Proxy1 validly authenticates with Proxy2 ... proxy1 is still a valid user of proxy2. f. User2 gets the unexpected response from Server but it is valid. This scenario would appear, to someone who was expecting users and not proxies to authenticate with proxy2, as if proxy2 was remembering stale data. Just a thought, Dave Morris
Received on Thursday, 23 October 2003 13:10:04 UTC