DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29439 Credentials ignored if realm specified in preemptive authentication ------- Additional Comments From [EMAIL PROTECTED] 2004-06-09 09:37 ------- Phillipe, no, we will not assume realm=null if preemptive auth is enabled, for security reasons. This could expose credentials to the wrong web application, possibly the one of an attacker. If you enable preemptive auth you need to explicitly state (by setting the realm to null) that you want specific credentials to be sent to any realm. So the responsibility is on the user side. I know this may sound paranoid. But security without paranoia is bad security in my opinion. The load balancing issue is out of our scope. The load balancing must unconditionally support session hand-over in a world where cookies drive the web. If you pretend to be one single machine but behave like n ones, problems are at hand. I do not know of any RFC covering load balanced HTTP servers. There is nothing that I want to do here. I am afraid all we can do is issue a warning or throw an exception. If you are dealing with multi-MB requests, you should also consider other forms of authentication that suit your needs. Maybe BASIC is just too basic for you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]