RE: passing on Proxy Authentication

1. figured that, just an idea
2. to provide users with a single login (both in details and in instance;
i.e., they do it once, not once for each server) for all company-related Web
services (including proxies), without resorting to proprietary
authentication methods. On a complex network with many disparate Web
services, this can be an easy way to tie authentication together.
3. It isn't; if a user goes to a protected Web service, they'll still get a
WWW-Autheticate header in the response. This means that they'll have to
authenticate themselves separately on each server, as well as override their
proxy settings, which should be enough encouragement to go through the
proxy.

Perhaps an example is in order. Imagine a network with a proxy called
'proxy' and Web servers called 'foo', 'bar' and 'baz'. A user fires up their
Web browser, which will go to a proxy (for our example, let's assume that
it's a big network, and that even local traffic goes through a proxy). After
authenticating themselves on the proxy, their requests to it will include a
Proxy-Authorization header. What I'm suggesting is that the proxy could be
configured to translate that into a Authorization header and pass it on to
selected Web servers (foo, bar, and baz, perhaps *.foo.com, but never
anything else), so that the user does not need to re-authenticate
themselves.


> -----Original Message-----
> From:	Paul Leach [SMTP:paulle@microsoft.com]
> Sent:	Saturday, September 12, 1998 4:57 AM
> To:	'Nottingham, Mark (Australia)'; http-wg@hplb.hpl.hp.com
> Subject:	RE: passing on Proxy Authentication
> 
> Three comments:
> 1. Too late for HTTP/1.1
> 2. Please provide more motivation -- why not just authenticate to the
> internal web servers directly?
> 3. Even if desirable, how is the requirement to first authenticate with
> the
> proxy server enforced?
> 
> 
> 
> 
> > -----Original Message-----
> > From: Nottingham, Mark (Australia)
> > [mailto:mark_nottingham@exchange.au.ml.com]
> > Sent: Thursday, September 10, 1998 8:39 PM
> > To: http-wg@hplb.hpl.hp.com
> > Subject: passing on Proxy Authentication
> > 
> > 
> > 
> > Is there any reason why proxy-authorization can't be passed onto
> > selected *Web* servers? It occured to me that this would be a nice way
> > to have a 'single login' in an Intranet situation; e.g., users use an
> > internal proxy, which they must authenticate for (for accounting/audit
> > purposes). Instead of re-typing a (possibly different) user/pass
> > combination to access protected internal resources, it would 
> > be nifty to
> > reuse the Proxy-Authorization: information.
> > 

Received on Sunday, 13 September 1998 17:00:25 UTC