W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

WWW-Authenticate / Proxy-Authenticate with 200 response

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 18 Nov 2010 13:06:13 +1300
Message-ID: <4CE46DF5.4050004@qbik.com>
To: HTTP Working Group <ietf-http-wg@w3.org>

Hi all

I've just been doing some research on this, since I've seen a case where 
SPNEGO is being used (for proxy auth actually which seems to contravene 
SPNEGO RFC 4559 S.6 para 3) resulting in a final chunk of auth protocol 
data lying around needing to go back to the client even though the auth 
was successful.

My initial thoughts were to drop this, since obviously one mustn't send 
a WWW-Authenticate or Proxy-Authenticate header in a 200 response.  Wrong.

The SPNEGO spec actually indicates it's intended to send such a header 
in a success response.

I'm just wondering while we're updating the specs for authentication, 
whether the prose around the WWW-Authenticate and Proxy-Authenticate 
headers should indicate it may also appear in responses other than 
401/407 respectively.  At the moment it states the header MUST appear in 
a 401/407 but that's it.  It's not intuitive to expect to see one in 
another response.

Why anyone would use NTLM over SPNEGO over HTTP is beyond me though.  
Makes a painful 3-request NTLM handshake seem like bliss compared to the 
extra steps involved and resulting SPNEGO agony.  Especially since the 
browser cannot know apriori if the server/proxy will require auth for 
any particular request/connection.  This is one of the problems of 
offloading this task to an underlying system (SSPI) that doesn't know 
what it's being layered over.

Regards

Adrien
Received on Thursday, 18 November 2010 00:06:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:33 GMT