RE: http-request authentication missing realm? from Toman_Vojtech@emc.com on 2008-12-10 (public-xml-processing-model-comments@w3.org from December 2008)

From: <Toman_Vojtech@emc.com>
Date: Wed, 10 Dec 2008 08:31:46 -0500
To: <public-xml-processing-model-comments@w3.org>
Message-ID: <6E216CCE0679B5489A61125D0EFEC7870DBC1261@CORPUSMX10A.corp.emc.com>

> I think a realm value is required for Digest authentication, 
> but I don't think
> we provide any way of supplying it.

I am no expert on this, but I thought that the realm information is
actually provided by the server, as part of the authentication
challenge. The client then combines the username, password and the
server-provided realm (and the 'nonce' value which is also provided by
the server), and computes a MD5 hash which he then sends back to the
server.

Providing p:http-request with an explicit realm option would only make
sense to me if p:http-request contained some logic for determining which
username/password to pick for a particular authentication realm.

But again, (thankfully) I don't enough about this, so I may be wrong.

Regards,
Vojtech

Received on Wednesday, 10 December 2008 13:32:46 UTC