Re: Chained proxies, persistent connections, authentication

On Thu, 23 Oct 2003, Scott Lawrence wrote:

> In any event, proxy2 is incorrect to associate the connection with
> the authentication of the first request on that connection; all requests
> are stateless, including authentication attributes.  Each request must
> be authenticated on its own - this is _not_ one of the _actual_ benefits
> of persistent connections.

I don't recall how it was determinted that Proxy1 was forwarding proxy
authentication headers to Proxy2. Sans a tcp/ip trace or comprehensive
logs, I would postulate that the described behavior would occur with both
proxy1  and proxy2 working as Dave and Scott have described is required:

a.  User1 sends request to Proxy1 and proxy authenticates with Proxy1
which User1 is authorized to do.
b.  Proxy1 sends the request to Proxy2 and subsequently authenticates
itself (proxy1) to Proxy2.
c.  User1 gets the expected response from Server via the proxy chain.

d.  User2 sends request to Proxy2 and proxy authenticates with Proxy1
which User2 IS authorized to use.
e.  Proxy1 now sends the request to Proxy2 and Proxy1 validly
authenticates with Proxy2 ... proxy1 is still a valid user of proxy2.
f.  User2 gets the unexpected response from Server but it is valid.

This scenario would appear, to someone who was expecting users and not
proxies to authenticate with proxy2, as if proxy2 was remembering stale

Just a thought,
  Dave Morris

Received on Thursday, 23 October 2003 13:10:04 UTC