Changeset 2558
- Timestamp:
- 18/01/14 06:22:49 (8 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p7-auth.html
r2554 r2558 760 760 <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a> <a href="#header.proxy-authenticate">Proxy-Authenticate</a></h2> 761 761 <p id="rfc.section.4.2.p.1">The "Proxy-Authenticate" header field consists of at least one challenge that indicates the authentication scheme(s) and parameters 762 applicable to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response.762 applicable to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). A proxy <em class="bcp14">MUST</em> send at least one Proxy-Authenticate header field in each <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response that it generates. 763 763 </p> 764 764 <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.7"></span> <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 765 </pre><p id="rfc.section.4.2.p.3">Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field applies only to the next outbound client on the response chain that chose to direct 766 its request to the responding proxy. If that recipient is also a proxy, it will generally consume the Proxy-Authenticate header 767 field (and generate an appropriate <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> in a subsequent request) rather than forward the header field to its own outbound clients. However, if a recipient proxy needs 768 to obtain its own credentials by requesting them from a further outbound client, it will generate its own 407 response, and 769 this might have the appearance of forwarding the Proxy-Authenticate header field if both proxies use the same challenge set. 765 </pre><p id="rfc.section.4.2.p.3">Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field applies only to the next outbound client on the response chain. This is because only 766 the client that chose a given proxy is likely to have the credentials necessary for authentication. However, when multiple 767 proxies are used within the same administrative domain, such as office and regional caching proxies within a large corporate 768 network, it is common for credentials to be generated by the user agent and passed through the hierarchy until consumed. Hence, 769 in such a configuration, it will appear as if Proxy-Authenticate is being forwarded because each proxy will send the same 770 challenge set. 770 771 </p> 771 772 <p id="rfc.section.4.2.p.4">Note that the parsing considerations for <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> apply to this header field as well; see <a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.2" title="WWW-Authenticate">Section 4.4</a> for details. -
draft-ietf-httpbis/latest/p7-auth.xml
r2554 r2558 386 386 The "Proxy-Authenticate" header field consists of at least one 387 387 challenge that indicates the authentication scheme(s) and parameters 388 applicable to the proxy for this effective request URI (&effective-request-uri;). 389 It &MUST; be included as part of a <x:ref>407 (Proxy Authentication Required)</x:ref> response. 388 applicable to the proxy for this effective request URI 389 (&effective-request-uri;). 390 A proxy &MUST; send at least one Proxy-Authenticate header field in 391 each <x:ref>407 (Proxy Authentication Required)</x:ref> response that it 392 generates. 390 393 </t> 391 394 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Proxy-Authenticate"/> … … 394 397 <t> 395 398 Unlike <x:ref>WWW-Authenticate</x:ref>, the Proxy-Authenticate header field 396 applies only to the next outbound client on the response chain that chose397 to direct its request to the responding proxy. If that recipient is also a398 proxy, it will generally consume the Proxy-Authenticate header field (and399 generate an appropriate <x:ref>Proxy-Authorization</x:ref> in a subsequent400 re quest) rather than forward the header field to its own outbound clients.401 However, if a recipient proxy needs to obtain its own credentials by402 requesting them from a further outbound client, it will generate its own403 407 response, and this might have the appearance of forwarding the404 Proxy-Authenticate header field if both proxies usethe same challenge set.399 applies only to the next outbound client on the response chain. 400 This is because only the client that chose a given proxy is likely to have 401 the credentials necessary for authentication. However, when multiple 402 proxies are used within the same administrative domain, such as office and 403 regional caching proxies within a large corporate network, it is common 404 for credentials to be generated by the user agent and passed through the 405 hierarchy until consumed. Hence, in such a configuration, it will appear 406 as if Proxy-Authenticate is being forwarded because each proxy will send 407 the same challenge set. 405 408 </t> 406 409 <t>
Note: See TracChangeset
for help on using the changeset viewer.