Re: Digest authentication

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 11 Sep 2000 23:22:41 +0200

Hirohiko Nakano wrote:

> At first, I had a plan to use Authentication-Info header defined
> in DA authentication spec. But Squid does not support it, so I checked
> Http specs in order to chose a suitable header for my purpose.

Squid SHOULD pass it along unmodified when proxying requests, unless
probided by a connection header, and unless explicitly told so by the
origin server Squid does not cache authenticated objects.

> By the way, Squid will support DA auth in the future?

There is plans on implementing digest authentication. No timeframe set
yet, but after the NTLM authentication has stabilized.

> If server cannot send Authentication-Info header in 304 response, squid
> sends a stale nonce stored in cache to a client.

Unless protected by a cache-control header yes. This problem applies to
any HTTP/1.0 cache if the content is marked as cacheable.

> Cache-hit is an unhappy event for DA auth?

Maybe. If you require authentication for the object and yet mark it as
cacheable without forced revalidation then yes, but such a setup seems a
bit murky anyway as it only requires revalidations to be authenticated,
not requests while the object are fresh.

> I think that 304HTTP response can include Authentication-Info header.

Not so sure about this. RFC2616 does not define Authentication-Info as a
response header, and all unknown headers are to be classified as entity
headers. Also RFC2617 does not clarify if Authentication-Info is a
response or a entity header.. (should be a response header).

So it boils down to that Authentication-Info cannot be reliably proxied
until some later HTTP version, and only when the whole request path is
upgraded. As more and more clients starts to support it it is quite
likely that these issues will get resolved in HTTP/1.1 proxies as well,
or even HTTP/1.0 proxies (which Squid still is).

> I think that Authentication-Info header MUST be passed through by a proxy.

According to RFC2617 yes, but not according to RFC2616 since it is not
defined as a request-header there. If Squid had known about the
Authenticate-Info header then it would have passed it on all requests
which has actually invoked a call to the origin server. However cache
hits where the origin server has not been contacted would still have
carried stale versions of the header.

So the quick fix is to add Authenticate-Info to the list of known
headers in Squid (see enums.h and HttpHeader.c, add it last in both
lists)

--
Henrik Nordstrom
Squid hacker
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Sep 11 2000 - 15:28:02 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:15 MST