Re: [closed] Re: p:http-request's send-authorization use case?

On Thu, Feb 5, 2009 at 2:31 PM, Norman Walsh <ndw@nwalsh.com> wrote:

> Florent Georges <fgeorges@fgeorges.org> writes:
> >   In p:http-request, what's the intent of send-authorization?  I
> > understand what the processor is supposed to do, but I would like
> > to know why it is helpful.
>
> If you know that you're using Basic authentication, then you can send
> the credentials first and avoid the "got a 401, retry with
> credentials" round trip.
>
> > Why not always send credentials on
> > the first request, when specified?  I guess this is related to
> > security, to not send credentials without the user explicitly
> > requesting so?
>
> Credentials that you send on the first attempt are effectively clear
> text. (They're hashed, but I think it's reversible.)


Well small fix here : hashing is not reversible ; but using the hashed value
you can reproduce the logging which is definitely a security issue



> So you don't
> want to do that without the author explicitly requesting it.
>
> It's also pointless if you're using Digest authentication since you
> can't construct the correct credentials before the server sends you a
> nonce.
>
> Please let us know if this explanation is unsatisfactory.
>
> >   BTW, the recent comments I raised about this step is because I
> > got inspired from it to design an equivalent feature for XSLT.  I
> > thought it would be helpful to have same names for attributes,
> > etc.  You can see it at:
> >
> >     http://www.fgeorges.org/xslt/exslt2/http-client.html
> >
> > and discussions at: http://lists.fourthought.com/pipermail/exslt/.
>
> Cool.
>
>                                        Be seeing you,
>                                          norm
>
> --
> Norman Walsh <ndw@nwalsh.com> | All our foes are mortal.--Paul Valéry
> http://nwalsh.com/            |
>

Received on Thursday, 5 February 2009 15:39:26 UTC