httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@covalent.net>
Subject Re: WWW-Authenticate: Negotiate
Date Mon, 17 Sep 2001 17:31:46 GMT

Did not someone make a patch for this early after the feature was in IE 4?

Dw

On Mon, 17 Sep 2001, Martin Kraemer wrote:

> I just noticed a feature of IIS 5.0 which is (if I am correct)
> impossible to do with Apache (1.3/2.0), albeit very useful. It
> is the the possibility to use multiple authentication schemes
> in parallel, with the client selecting the most appropriate
> version.
>
> Without much explanation, here's a response header of IIS5 for a
> request requiring authentication:
>
>   HTTP/1.1 401 Unauthorized
>   Server: Microsoft-IIS/5.0
>   Date: Mon, 17 Sep 2001 14:01:05 GMT
>   WWW-Authenticate: Negotiate
>   WWW-Authenticate: NTLM
>   WWW-Authenticate: Basic realm="my.fsc.net"
>   Set-Cookie: RQFW={CC8D82ED-2EC6-446D-8013-68DA01CFE353}; path=/;
>   Cache-Control: private
>   Content-Type: text/html; charset=utf-8
>   Content-Length: 1509
>
> For Apache, the alternatives "Basic" and "Digest" would be more appropriate,
> of course. But AFAICS Apache does not allow for accepting multiple
> schemes alternatively.
>
> In RFC2617, I find a reference of multiple WWW-Authenticate headers:
>
> >  4.6 Weakness Created by Multiple Authentication Schemes
> >
> >      An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate)
response, and each challenge may use a different auth-scheme. A user agent MUST choose to
use the
> >      strongest auth- scheme it understands and request credentials from the user
based upon that challenge.
> >
> >      Note that many browsers will only recognize Basic and will require that it
be the first auth-scheme presented. Servers should only include Basic if it is minimally acceptable.
> >
> >      When the server offers choices of authentication schemes using the WWW-Authenticate
header, the strength of the resulting authentication is only as good as that of the of the
> >      weakest of the authentication schemes. See section 4.8 below for discussion
of particular attack scenarios that exploit multiple authentication schemes.
>
> Now my question is:
>
> * is this feature standardized? (The first "WWW-Authenticate: Negotiate"
>   looks fishy to me)
>
> * how could Apache be configured to support multiple auth schemes for
>   a given resource in parallel? Currently, "AuthType Digest" allows
>   only one argument, and using it multiple times just replaces the
>   current setting.
>
>   Martin
>


Mime
View raw message