Dancer wrote:
> Specifically it says that they must be consumed by proxies that
> _require_ such credentials. A proxy MAY pass challenges and credentials
> through if they do not personally require them themselves, but the spec
> also says that this is not to be confused with 'forwarding' them. Cute
> semantic difference :)
The HTTP 1.1 spec is carefully worded with reasons. Authentication are
sensitive information and should not be forwarded without thought.
Relevant sections from draft-ietf-http-v11-spec-rev-06
13.5.1 End-to-end and Hop-by-hop Headers
The following HTTP/1.1 headers are hop-by-hop headers:
. Proxy-Authenticate
. Proxy-Authorization
14.33 Proxy-Authenticate
Unlike WWW-Authenticate, the Proxy-Authenticate header field
applies only to the current connection and SHOULD NOT be passed
on to downstream clients. However, an intermediate proxy might
need to obtain its own credentials by requesting them from the
downstream client, which in some circumstances will appear as
if the proxy is forwarding the Proxy-Authenticate header field.
14.34 Proxy-Authorization
When multiple proxies are used in a chain, the Proxy-Authorization
header field is consumed by the first outbound proxy that was
expecting to receive credentials. A proxy MAY relay the credentials
from the client request to the next proxy if that is the mechanism
by which the proxies cooperatively authenticate a given request.
Only questionable part is "first outbound proxy that was expecting to
receive credentials", which seems to partially defeat the purpose of the
other sections. Other than this the intentended way to handle proxy
authentication in chanied proxies are without doubt.
/Henrik
Received on Tue Jul 29 2003 - 13:15:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:04 MST