hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29062] - [API Doc] Improve the description of the preemptive authentication
Date Wed, 26 May 2004 18:02:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29062>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29062

[API Doc] Improve the description of the preemptive authentication





------- Additional Comments From olegk@apache.org  2004-05-26 18:02 -------
Mike,
I see three possibilities for the default credentials end up sent to untrusted
web  application:

(1) when credentials are set for null host and null realm. We should have never
allowed that in the very first place, but we did, and now we have to live with
that. I believe at the very least we should warn the users about security
implications of setting default credentials for null host and realm

(2) HttpClient 2.0 does not take target port into consideration when selecting
credentials for the HTTP state. This also should have not have happened, but it
did. So, even if default credentials are set for a specific host, HttpClient can
send them to a untrusted application if it is hosted on a different port 

(3) I believe there are at least several web platforms capable of supporting
different authentication realms defined within the same virtual host. There's no
way HttpClient can differentiate those realms unless it receives an
authorization challenge. 

2 and 3 are really fringe cases but they are not impossible. Think of a hosting
company serving massive number of virtual sites off the same web platform

I do admit that the part about being cautious when using preemptive may be badly
worded, but I do think it should be there

Oleg

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message