Re: authentication cleanups

Daniel W. Connolly (connolly@hal.com)
Wed, 09 Nov 1994 18:19:12 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: James Pitkow: "Re: An alarming trend in METHOD=POST"
Previous message: Tony Sanders: "authentication cleanups"
In reply to: Tony Sanders: "authentication cleanups"
Next in thread: Brian Behlendorf: "Re: authentication cleanups"

In message <199411092345.RAA24811@austin.BSDI.COM>, Tony Sanders writes:
>Perhaps servers should return a indication of what area is
>covered by the authentication. For example:
>
>Client:
> GET /protected/recipies/secret-sauce/ingredients HTML/1.0
> ...
>Server:
> 401 Unauthorized
> WWW-Authenticate: Basic realm="burgers_and_fries"
> WWW-Realm-Partial: /protected/recipies/, /protected/foods/
...
>Does this make sense?

In a way, yes. But truly anal security fiends would say that this is
divulging potentially sensitive information. They get nervous when you
tell folks the difference between "file not found" and "unauthorized".
It's kinda like having a unix loging program that goes:

As long as you're using the basic authentication scheme, you're certainly
not in the league of anal security fiends, and this may be OK.

Dan

Next message: James Pitkow: "Re: An alarming trend in METHOD=POST"
Previous message: Tony Sanders: "authentication cleanups"
In reply to: Tony Sanders: "authentication cleanups"
Next in thread: Brian Behlendorf: "Re: authentication cleanups"