W3C home > Mailing lists > Public > public-xml-processing-model-comments@w3.org > December 2008

RE: http-request authentication missing realm?

From: <Toman_Vojtech@emc.com>
Date: Wed, 10 Dec 2008 09:03:51 -0500
Message-ID: <6E216CCE0679B5489A61125D0EFEC7870DBC1291@CORPUSMX10A.corp.emc.com>
To: <public-xml-processing-model-comments@w3.org>

> 
> > I think a realm value is required for Digest authentication, 
> > but I don't think
> > we provide any way of supplying it.
> 
> I am no expert on this, but I thought that the realm information is
> actually provided by the server, as part of the authentication
> challenge. The client then combines the username, password and the
> server-provided realm (and the 'nonce' value which is also provided by
> the server), and computes a MD5 hash which he then sends back to the
> server.
> 
> Providing p:http-request with an explicit realm option would only make
> sense to me if p:http-request contained some logic for 
> determining which
> username/password to pick for a particular authentication realm.

Actually, now that I think about it further, providing an explicit realm
would make sense with Basic authentication, and with
'send-authorization' set to true. For Digest authentication, I am not
sure, because I think you can't avoid the authentication challenge there
(...or can you?)

Vojtech
Received on Wednesday, 10 December 2008 14:07:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 10 December 2008 14:08:00 GMT