Re: [#177] Realm required on challenges

Not to argue a particular position WRT #177, but using NTLM is  
probably a bad example, precisely because it does connection  
authentication -- thereby breaking HTTP's assumption of statelessness.

Cheers,


On 07/07/2009, at 5:35 PM, Robert Collins wrote:

> On Tue, 2009-07-07 at 17:15 +1000, Mark Nottingham wrote:
>> [ this was raised anonymously ]
>>
>> p7 defers to RFC2617 for the definition of challenge.
>>
>> RFC 2617, section 1.2 says:
>>
>> challenge = auth-scheme 1*SP 1#auth-param ... The authentication
>> parameter realm is defined for all authentication schemes:
>>
>> realm = "realm" "=" realm-value realm-value = quoted-string
>>
>> The realm directive (case-insensitive) is required for all
>> authentication schemes that issue a challenge.
>
> With you so far.
>
>> The interpretation being that challenges (which is what www-
>> authenticate is defined as) MUST contain at least one parameter and
>> that parameter MUST be a realm.
>
> Got that too.
>
>> Is it truly necessary for all authentication schemes to include a
>> 'realm' paramter? If so, it should be documented (e.g., in the  
>> section
>> about extension authentication schemes).
>
> I'd have to check, but I'm fairly sure that NTLM doesn't provide a  
> realm
> in its challenges. I'm also fairly certain, because that scheme does
> connection authentication, not message authentication, that the  
> intended
> use - partitioning a single site - doesn't even make sense for that
> scheme (nor the Negotiate scheme).
>
> -Rob


--
Mark Nottingham     http://www.mnot.net/

Received on Tuesday, 7 July 2009 07:42:47 UTC