Re: Proxy authentication

On Tue, 23 Apr 1996, Roy T. Fielding wrote:

> Proxy-Authenticate and Proxy-Authorization are (or should be) defined 
> according to the Netscape Proxy implementation.  The current spec is
> lacking the wording that I sent in a couple months ago about how the
> proxy should forward the field if the credentials do not apply to it.
> One problem is that the realm is not sent with the credentials (only
> with the challenge), and thus things can still get messed-up if more
> than one proxy is demanding credentials on a single request.

In the current 02 version of the spec it is not clear (to me) that
the realm is required to be unique across hosts/proxies.  Here is what
the spec says:

            realm          = "realm" "=" realm-value
            realm-value    = quoted-string

      The realm attribute (case-insensitive) is required for all
      authentication schemes which issue a challenge. The realm value (case-
      sensitive), in combination with the canonical root URL of the server
      being accessed, defines the protection space. These realms allow the
      protected resources on a server to be partitioned into a set of
      protection spaces, each with its own authentication scheme and/or
      authorization database. The realm value is a string, generally assigned
      by the origin server, which may have additional semantics specific to
      the authentication scheme.

John Franks 	Dept of Math. Northwestern University

Received on Tuesday, 23 April 1996 12:23:28 UTC