DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29439 Credentials ignored if realm specified in preemptive authentication ------- Additional Comments From [EMAIL PROTECTED] 2004-06-09 10:06 ------- Ortwin, >no, we will not assume realm=null if preemptive auth is enabled, for security >reasons. This could expose credentials to the wrong web application, possibly >the one of an attacker. If you enable preemptive auth you need to explicitly >state (by setting the realm to null) that you want specific credentials to be >sent to any realm. So the responsibility is on the user side. I know this may >sound paranoid. But security without paranoia is bad security in my opinion. I definitely agree. Maybe the documentation should reflect this 'null' value for realms in the ' Preemptive Authentication' paragraph ? >The load balancing issue is out of our scope. The load balancing must >unconditionally support session hand-over in a world where cookies drive the >web. If you pretend to be one single machine but behave like n ones, problems >are at hand. I do not know of any RFC covering load balanced HTTP servers. >There is nothing that I want to do here. Again I agree. >I am afraid all we can do is issue a warning or throw an exception. I propose the more defensive 'exception' approach, this way it is definitely no more silent. >If you are dealing with multi-MB requests, you should also consider other forms >of authentication that suit your needs. Maybe BASIC is just too basic for you. Indeed, but I don't choose the authentication mechanism and people like adding passwords everywhere (it may be parano�d but as you said "security without paranoia is bad security"). Thanks again for you quick answer and the level of support offered. Philippe P.S. Proposition : maybe the next version (3?) should support a way to set preemptive credentials without specifying a 'null' value but a more explicit sentinel ? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
