hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29439] - Credentials ignored if realm specified in preemptive authentication
Date Wed, 09 Jun 2004 09:37:21 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29439

Credentials ignored if realm specified in preemptive authentication





------- Additional Comments From ortwin.glueck@nose.ch  2004-06-09 09:37 -------
Phillipe,

no, we will not assume realm=null if preemptive auth is enabled, for security
reasons. This could expose credentials to the wrong web application, possibly
the one of an attacker. If you enable preemptive auth you need to explicitly
state (by setting the realm to null) that you want specific credentials to be
sent to any realm. So the responsibility is on the user side. I know this may
sound paranoid. But security without paranoia is bad security in my opinion.

The load balancing issue is out of our scope. The load balancing must
unconditionally support session hand-over in a world where cookies drive the
web. If you pretend to be one single machine but behave like n ones, problems
are at hand. I do not know of any RFC covering load balanced HTTP servers. There
is nothing that I want to do here.

I am afraid all we can do is issue a warning or throw an exception.

If you are dealing with multi-MB requests, you should also consider other forms
of authentication that suit your needs. Maybe BASIC is just too basic for you.

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message