I just noticed a feature of IIS 5.0 which is (if I am correct)
impossible to do with Apache (1.3/2.0), albeit very useful. It
is the the possibility to use multiple authentication schemes
in parallel, with the client selecting the most appropriate
version.
Without much explanation, here's a response header of IIS5 for a
request requiring authentication:
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/5.0
Date: Mon, 17 Sep 2001 14:01:05 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="my.fsc.net"
Set-Cookie: RQFW={CC8D82ED-2EC6-446D-8013-68DA01CFE353}; path=/;
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1509
For Apache, the alternatives "Basic" and "Digest" would be more appropriate,
of course. But AFAICS Apache does not allow for accepting multiple
schemes alternatively.
In RFC2617, I find a reference of multiple WWW-Authenticate headers:
> 4.6 Weakness Created by Multiple Authentication Schemes
>
> An HTTP/1.1 server may return multiple challenges with a 401 (Authenticate)
>response, and each challenge may use a different auth-scheme. A user agent MUST
>choose to use the
> strongest auth- scheme it understands and request credentials from the user
>based upon that challenge.
>
> Note that many browsers will only recognize Basic and will require that it be
>the first auth-scheme presented. Servers should only include Basic if it is minimally
>acceptable.
>
> When the server offers choices of authentication schemes using the
>WWW-Authenticate header, the strength of the resulting authentication is only as good
>as that of the of the
> weakest of the authentication schemes. See section 4.8 below for discussion of
>particular attack scenarios that exploit multiple authentication schemes.
Now my question is:
* is this feature standardized? (The first "WWW-Authenticate: Negotiate"
looks fishy to me)
* how could Apache be configured to support multiple auth schemes for
a given resource in parallel? Currently, "AuthType Digest" allows
only one argument, and using it multiple times just replaces the
current setting.
Martin
--
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany
