- From: Paul Leach <paulle@microsoft.com>
- Date: Mon, 11 Mar 96 10:33:49 PST
- To: john@math.nwu.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
---------- ] From: John Franks <john@math.nwu.edu> ] Date: Sunday, March 10, 1996 4:41PM ] ] On Fri, 8 Mar 1996, Paul Leach wrote: ] ] > Any digest that included the URI would be wrong if the URI is munged by ] > the proxy. It would break Digest Authentication, for example. ] ] Actually, a proxy munging the URL will cause no problem for digest ] authentication. The URL is duplicated in the uri field of the ] authentication header to deal with exactly this issue. Of course, ] if a proxy munges the Authorization: header then there will be ] problems. Interesting. What happens if I do this: GET /secret.txt HTTP/1.1 Authorization: uri="/public.txt", username="fred", realm="www.foo.com", nonce="deadbeef", response="0123456789abcdef0123456789abcdef" If the server checks the authorization header and its URI, but then uses the URI from the Request-URI in the request line, the whole exercise will have been wasted. And if proxies are allowed to munge the URI in unknown ways, the server can't compare the request-URI with the uri in the Authorization header. The Digest draft should say the the server MUST use the URI from the Authorization header, as that is the only one that has been authenticated. Paul
Received on Monday, 11 March 1996 10:35:56 UTC