[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: stupid HTTP question

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2001-10-16 22:22:50 CEST

> But now I just noticed that when neon grabs authentication info from
> the client, it puts the crypted data into a standard HTTP header
> field called "authorization":

> Authorization: Basic c3Vzc21eebjz93Fzb3Vw

> Why, oh why, is this the case. Does HTTP itself confuse the two
> issues?!

Appears so. Here is a great quote from RFC 2616:

14.8 Authorization

      A user agent that wishes to authenticate itself with a server--
      usually, but not necessarily, after receiving a 401 response--does
      so by including an Authorization request-header field with the
      request. The Authorization field value consists of credentials
      containing the authentication information of the user agent for
      the realm of the resource being requested.

You'll note that this paragraph makes perfect sense if you rename the
header to Authentication, or even to Fooblat. It's conceivable that
the authors of the HTTP 1.1 document knew the difference but were
stuck with a bad historical header name.

I'll also note that it's easy to confuse the issues of authentication
and authorization. In some scenarios people might authenticate as a
role like "admin"; such user naming combines authentication and
authorization. That practice leads to poor accountability, but if
you've ever logged in as "root" on a Unix system, you've participated
in it yourself, though perhaps only under duress. :)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 21 14:36:44 2006

This is an archived mail posted to the Subversion Dev mailing list.