Re: Basic auth and realms from Adrien de Croy on 2008-06-17 (ietf-http-wg@w3.org from April to June 2008)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 17 Jun 2008 12:56:56 +1200
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <48570BD8.6030902@qbik.com>

Bjoern Hoehrmann wrote:
> * Adrien de Croy wrote:
>   
>> How does that fit with appending the realm to a base URI to get a 
>> "protection space".  to me it seems that indicates that the realm should 
>> be like a folder on a webserver.  The credentials may be automatically 
>> re-presented for any URL that maps to a resource in that folder (or any 
>> sub-folders).
>>     
>
> "Combination" here does not mean textual concatenation. Read it like you
> would read "A specific latitude in combination with a specific longitude
> identifes a precise position on the Earth's surface".
>
>   
OK, so the 2 are associated in some way other than concatenation.  
thanks for that clarification.

>> How then can the client decide whether to try the credentials or not if 
>> it cannot apriori calculate whether the next URI request will be in the 
>> same realm as some previous realm?
>>     
>
> It cannot do that, it can only make certain assumptions as suggested in
> the specification, for example, "A client SHOULD assume that all paths
> at or deeper than the depth of the last symbolic element in the path
> field of the Request-URI also are within the protection space specified
> by the Basic realm value of the current challenge."
>   
I guess this limits the usability of the realm then.  Shame it's 
mandatory for all auth methods that issue a challenge (e.g. also Digest).

All I've seen a browser do with it is display it in the login dialog (in 
brackets).  So it seems purely cosmetic.

Does anyone know what browsers do with realms relating to authenticating 
to a proxy?

from what I can tell IE6 basically ignores the realm and retries 
credentials for a proxy.  IE7 does not, and if you don't specify a 
realm, it doesn't re-present credentials.  If you do specify one, it 
seems to re-present the same credentials for all sites (which is 
sensible IMO).  I'd need to check other browsers.

thanks for your help

Adrien

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Tuesday, 17 June 2008 00:55:59 UTC