hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29439] - Credentials ignored if realm specified in preemptive authentication
Date Wed, 09 Jun 2004 10:06:47 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29439

Credentials ignored if realm specified in preemptive authentication





------- Additional Comments From pvdyck@operamail.com  2004-06-09 10:06 -------
Ortwin,

>no, we will not assume realm=null if preemptive auth is enabled, for security
>reasons. This could expose credentials to the wrong web application, possibly
>the one of an attacker. If you enable preemptive auth you need to explicitly
>state (by setting the realm to null) that you want specific credentials to be
>sent to any realm. So the responsibility is on the user side. I know this may
>sound paranoid. But security without paranoia is bad security in my opinion.

I definitely agree. 

Maybe the documentation should reflect this 'null' value for realms in the ' 
Preemptive Authentication' paragraph ?

>The load balancing issue is out of our scope. The load balancing must
>unconditionally support session hand-over in a world where cookies drive the
>web. If you pretend to be one single machine but behave like n ones, problems
>are at hand. I do not know of any RFC covering load balanced HTTP servers. 
>There is nothing that I want to do here.

Again I agree.

>I am afraid all we can do is issue a warning or throw an exception.

I propose the more defensive 'exception' approach, this way it is definitely no 
more silent.

>If you are dealing with multi-MB requests, you should also consider other forms
>of authentication that suit your needs. Maybe BASIC is just too basic for you.

Indeed, but I don't choose the authentication mechanism and people like adding 
passwords everywhere (it may be parano´d but as you said "security without 
paranoia is bad security").

Thanks again for you quick answer and the level of support offered.

Philippe

P.S. Proposition : maybe the next version (3?) should support a way to set 
preemptive credentials without specifying a 'null' value but a more explicit 
sentinel ?

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message