Re: proxy-auth and chained proxies

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 24 Mar 1999 01:45:34 +0100

Dancer wrote:

> Specifically it says that they must be consumed by proxies that
> _require_ such credentials. A proxy MAY pass challenges and credentials
> through if they do not personally require them themselves, but the spec
> also says that this is not to be confused with 'forwarding' them. Cute
> semantic difference :)

The HTTP 1.1 spec is carefully worded with reasons. Authentication are
sensitive information and should not be forwarded without thought.

Relevant sections from draft-ietf-http-v11-spec-rev-06

13.5.1 End-to-end and Hop-by-hop Headers

   The following HTTP/1.1 headers are hop-by-hop headers:

      . Proxy-Authenticate
      . Proxy-Authorization

14.33 Proxy-Authenticate

   Unlike WWW-Authenticate, the Proxy-Authenticate header field
   applies only to the current connection and SHOULD NOT be passed
   on to downstream clients. However, an intermediate proxy might
   need to obtain its own credentials by requesting them from the
   downstream client, which in some circumstances will appear as
   if the proxy is forwarding the Proxy-Authenticate header field.

14.34 Proxy-Authorization
 
   When multiple proxies are used in a chain, the Proxy-Authorization
   header field is consumed by the first outbound proxy that was
   expecting to receive credentials. A proxy MAY relay the credentials
   from the client request to the next proxy if that is the mechanism
   by which the proxies cooperatively authenticate a given request.

Only questionable part is "first outbound proxy that was expecting to
receive credentials", which seems to partially defeat the purpose of the
other sections. Other than this the intentended way to handle proxy
authentication in chanied proxies are without doubt.

/Henrik
Received on Tue Jul 29 2003 - 13:15:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:04 MST