DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29439 Credentials ignored if realm specified in preemptive authentication ------- Additional Comments From [EMAIL PROTECTED] 2004-06-09 10:06 ------- Ortwin, >no, we will not assume realm=null if preemptive auth is enabled, for security >reasons. This could expose credentials to the wrong web application, possibly >the one of an attacker. If you enable preemptive auth you need to explicitly >state (by setting the realm to null) that you want specific credentials to be >sent to any realm. So the responsibility is on the user side. I know this may >sound paranoid. But security without paranoia is bad security in my opinion. I definitely agree. Maybe the documentation should reflect this 'null' value for realms in the ' Preemptive Authentication' paragraph ? >The load balancing issue is out of our scope. The load balancing must >unconditionally support session hand-over in a world where cookies drive the >web. If you pretend to be one single machine but behave like n ones, problems >are at hand. I do not know of any RFC covering load balanced HTTP servers. >There is nothing that I want to do here. Again I agree. >I am afraid all we can do is issue a warning or throw an exception. I propose the more defensive 'exception' approach, this way it is definitely no more silent. >If you are dealing with multi-MB requests, you should also consider other forms >of authentication that suit your needs. Maybe BASIC is just too basic for you. Indeed, but I don't choose the authentication mechanism and people like adding passwords everywhere (it may be paranoïd but as you said "security without paranoia is bad security"). Thanks again for you quick answer and the level of support offered. Philippe P.S. Proposition : maybe the next version (3?) should support a way to set preemptive credentials without specifying a 'null' value but a more explicit sentinel ? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
