httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Life is hard, and then you die." <ron...@innovation.ch>
Subject Re: Kerberos authentication and authentication (proxy ticket forwarding)
Date Sat, 06 Nov 1999 18:37:08 GMT

> > Quick question (I haven't looked at the RFC's etc yet): Are they doing
> > real http authentication, or are they doing connection authentication?
> 
> I'm not sure I understand the question.  What exactly is the distinction
> you're trying to make?

Sorry, should've clarified.

Taking NTLM as an example, the challenge (WWW-Authenticate header) is
sent each time you create a new connection. The ensuing handshake (NTLM
does more than just a single challenge-response) is carried out, and
after that all requests on that connection do not require any
Authorization header to be sent, irrespective of which resource they
access. Also, you can't preemptively send auth info when you open a
connection (well, you can send some info, but that will only shorten
the handshake from 5 to 3 messages).

In short, NTLM-auth authenticates the connection, not the request.
HTTP authentication (e.g. Basic and Digest) does not care about
connections, only about requests.


  Cheers,

  Ronald


Mime
View raw message