Changeset 2558 for draft-ietf-httpbis


Ignore:
Timestamp:
18/01/14 06:22:49 (6 years ago)
Author:
fielding@…
Message:

(editorial) rephrase the description of proxy chaining in Proxy-Authenticate; see #522 and #536

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r2554 r2558  
    760760            <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a>&nbsp;<a href="#header.proxy-authenticate">Proxy-Authenticate</a></h2>
    761761            <p id="rfc.section.4.2.p.1">The "Proxy-Authenticate" header field consists of at least one challenge that indicates the authentication scheme(s) and parameters
    762                applicable to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response.
     762               applicable to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>). A proxy <em class="bcp14">MUST</em> send at least one Proxy-Authenticate header field in each <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response that it generates.
    763763            </p>
    764764            <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.7"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
    765 </pre><p id="rfc.section.4.2.p.3">Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field applies only to the next outbound client on the response chain that chose to direct
    766                its request to the responding proxy. If that recipient is also a proxy, it will generally consume the Proxy-Authenticate header
    767                field (and generate an appropriate <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> in a subsequent request) rather than forward the header field to its own outbound clients. However, if a recipient proxy needs
    768                to obtain its own credentials by requesting them from a further outbound client, it will generate its own 407 response, and
    769                this might have the appearance of forwarding the Proxy-Authenticate header field if both proxies use the same challenge set.
     765</pre><p id="rfc.section.4.2.p.3">Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field applies only to the next outbound client on the response chain. This is because only
     766               the client that chose a given proxy is likely to have the credentials necessary for authentication. However, when multiple
     767               proxies are used within the same administrative domain, such as office and regional caching proxies within a large corporate
     768               network, it is common for credentials to be generated by the user agent and passed through the hierarchy until consumed. Hence,
     769               in such a configuration, it will appear as if Proxy-Authenticate is being forwarded because each proxy will send the same
     770               challenge set.
    770771            </p>
    771772            <p id="rfc.section.4.2.p.4">Note that the parsing considerations for <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> apply to this header field as well; see <a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.2" title="WWW-Authenticate">Section&nbsp;4.4</a> for details.
  • draft-ietf-httpbis/latest/p7-auth.xml

    r2554 r2558  
    386386   The "Proxy-Authenticate" header field consists of at least one
    387387   challenge that indicates the authentication scheme(s) and parameters
    388    applicable to the proxy for this effective request URI (&effective-request-uri;).
    389    It &MUST; be included as part of a <x:ref>407 (Proxy Authentication Required)</x:ref> response.
     388   applicable to the proxy for this effective request URI
     389   (&effective-request-uri;).
     390   A proxy &MUST; send at least one Proxy-Authenticate header field in
     391   each <x:ref>407 (Proxy Authentication Required)</x:ref> response that it
     392   generates.
    390393</t>
    391394<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Proxy-Authenticate"/>
     
    394397<t>
    395398   Unlike <x:ref>WWW-Authenticate</x:ref>, the Proxy-Authenticate header field
    396    applies only to the next outbound client on the response chain that chose
    397    to direct its request to the responding proxy. If that recipient is also a
    398    proxy, it will generally consume the Proxy-Authenticate header field (and
    399    generate an appropriate <x:ref>Proxy-Authorization</x:ref> in a subsequent
    400    request) rather than forward the header field to its own outbound clients.
    401    However, if a recipient proxy needs to obtain its own credentials by
    402    requesting them from a further outbound client, it will generate its own
    403    407 response, and this might have the appearance of forwarding the
    404    Proxy-Authenticate header field if both proxies use the same challenge set.
     399   applies only to the next outbound client on the response chain.
     400   This is because only the client that chose a given proxy is likely to have
     401   the credentials necessary for authentication.  However, when multiple
     402   proxies are used within the same administrative domain, such as office and
     403   regional caching proxies within a large corporate network, it is common
     404   for credentials to be generated by the user agent and passed through the
     405   hierarchy until consumed.  Hence, in such a configuration, it will appear
     406   as if Proxy-Authenticate is being forwarded because each proxy will send
     407   the same challenge set.
    405408</t>
    406409<t>
Note: See TracChangeset for help on using the changeset viewer.