Henrik Nordstrom wrote:
>
> Dancer wrote:
>
> > Specifically it says that they must be consumed by proxies that
> > _require_ such credentials. A proxy MAY pass challenges and credentials
> > through if they do not personally require them themselves, but the spec
> > also says that this is not to be confused with 'forwarding' them. Cute
> > semantic difference :)
>
> The HTTP 1.1 spec is carefully worded with reasons. Authentication are
> sensitive information and should not be forwarded without thought.
>
> Relevant sections from draft-ietf-http-v11-spec-rev-06
>
> 13.5.1 End-to-end and Hop-by-hop Headers
>
> The following HTTP/1.1 headers are hop-by-hop headers:
>
> . Proxy-Authenticate
> . Proxy-Authorization
>
> 14.33 Proxy-Authenticate
>
> Unlike WWW-Authenticate, the Proxy-Authenticate header field
> applies only to the current connection and SHOULD NOT be passed
> on to downstream clients. However, an intermediate proxy might
> need to obtain its own credentials by requesting them from the
> downstream client, which in some circumstances will appear as
> if the proxy is forwarding the Proxy-Authenticate header field.
>
> 14.34 Proxy-Authorization
>
> When multiple proxies are used in a chain, the Proxy-Authorization
> header field is consumed by the first outbound proxy that was
> expecting to receive credentials. A proxy MAY relay the credentials
> from the client request to the next proxy if that is the mechanism
> by which the proxies cooperatively authenticate a given request.
>
> Only questionable part is "first outbound proxy that was expecting to
> receive credentials", which seems to partially defeat the purpose of the
> other sections. Other than this the intentended way to handle proxy
> authentication in chanied proxies are without doubt.
Mmm. The way I read this, is that both Squid and MS-proxy are DTRT-ing
(doing the right thing), as far as interpretation of the spec goes. Both
methods are 'okay' by the book. Yes, that bit is a bit questionable, but
the more I reread it, the more I get the impression that either method
is acceptable.
Damn.
D
Received on Tue Jul 29 2003 - 13:15:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:04 MST