- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 07 Aug 2011 20:28:03 +0200
- To: "Manger, James H" <James.H.Manger@team.telstra.com>
- CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 2011-07-29 01:45, Manger, James H wrote: >>> RFC 4559 "SPEGNO/NTLM/Negotiate" might specify that, but I don't think it can work as it makes parsing ambiguous. For instance, does the following response header include 1 scheme with 4 parameters, or 2 or 3 schemes? Is "tuv" another authentication scheme supported by this server, or a parameter of the "ABC" scheme? >>> WWW-Authenticate: ABC xyz, a=1, qrs, tuv > > >> The ABNF says: >> >> challenge = auth-scheme 1*SP 1#auth-param >> >> so there needs to be at least one auth-param, separated by one or more SPs. > > NTLM doesn't include any params initially. > A recent HTTPbis change made the 1 and only previously-required parameter 'realm' optional. > So the syntax should be adjusted not to require any params. At which point a base64 blob that isn't the first param would be ambiguous. > ... James, again sorry for the slow feedback. I spent some time on <http://greenbytes.de/tech/tc/httpauth/> making sure that what RFC 2616/7 specify is actually parseable (it seems to, I've done with with XSLT 2 and regexps). (Feedback on more tests welcome...). Summarizing where we are: - we introduce a b64 grammar production - we remove the at-least one auth-param requirement from the ABNF (actually, that should be done as part of issue <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/177> - we allow b64 both in challenges and credentials *instead* of a list of auth-params (we believe a single b64 is sufficient for Negotiate & friends) Best regards, Julian
Received on Sunday, 7 August 2011 18:28:52 UTC