Protection spaces and proxy servers

• From: <Dominic.Chambers@mimesweeper.com>
• Date: Fri, 1 May 1998 14:25:04 +0100 (BST)
• To: http-wg-request@cuckoo.hpl.hp.com
• Message-Id: <00003B8F.eval@mimesweeper.com>

     Background
     ----------
     
     According to draft-ietf-http-authentication "The protection space 
     determines the domain over which credentials can be automatically 
     applied. If a prior request has been authorized, the same credentials 
     MAY be reused for all other requests within that protection space..".
     
     The protection space is defined as "The realm value, in combination 
     with the canonical root URL of the server being accessed, defines the 
     protection space.". Also, "a single protection space cannot extend 
     outside the scope of its server".
     
     
     Query?
     ------
     
     What is the protection space for a proxy server which forces 
     authentication? Does the "..canonical root URL of the server being 
     accessed.." refer to the proxie servers URL, or the origin servers 
     URL. The later would imply that the client should stop sending proxy 
     authorization headers whenever the protection space of the origin 
     server changes, even though the proxy has not changed.
     
     If proxy servers request authorization, it is likely that the same 
     authorization will be required for all/most resources accessed through 
     the proxy, and I must suppose that the protection space refers to the 
     proxies URL, and therefore all requests a client makes via that proxy 
     must require authorization as long as the realm remains constant. Is 
     this the case?
     
     
     Thanks, Dominic.
**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify Content Technologies 
on +44 118 9301300.

This message has been generated by MIMEsweeper and certifies that the message and attachments have been swept for all known and recorded computer viruses. 
MIMEsweeper 3.x protects your organization from content borne threats and malicious intent. Combined with firewalls MIMEsweeper provides a comprehensive network security solution.

For information regarding the MIMEsweeper family of products:

Phone:  +44 118 9301300
Fax:    +44 118 9301301
Email:  info@mimesweeper.com
Support:msw.support@mimesweeper.com
World Wide Web: http://www.mimesweeper.com

MIMEsweeper: Content Security for Networks 
**********************************************************************

Received on Tuesday, 5 May 1998 04:41:37 UTC