> Chemolli Francesco (USI) wrote:
> >
> > > Since we know that we cannot proxy NTLM WWW authentication,
> > > shouldn't we
> > > filter it out from replies?
> >
> > I don't know. I think I'd prefer to manage it sometime in
> the future,
> > and it can be done (only) by "pinning" a downstream (aka client)
> > connection to an upstream (aka server) connection.
>
> Sure it can be done, but until then?
We could strip the Authenticate: NTLM from the reply.
But if there is no alternate authentication scheme offered
(as can be the case with braindamaged IIS) we need to offer an
ad-hoc error page, otherwise we'd have broken the auth protocol.
If the pinning was possible, we could even act as a basic-to-NTLM
bridge for such cases (there was a python app announced of
freshmeat today that does exactly this). Or maybe we have some
ways to do this even now?
basic-to-NTLM bridge means:
1) we see a server reply with Authenticate: NTLM scheme and no
alternate auth methods offered.
2) we strip that out, and replace that with a Basic challenge
3) user supplies us the username, domain and password
4) we complete the NTLM negotiation with the server
5) we handle the client-server association as authenticated
6) continue as usual, stripping away Authenticate: headers
from client's requests (with NTLM the once the _connection_ is
authenticated no furhter auth takes place)
Ideas? Comments?
-- /kinkieReceived on Fri Apr 13 2001 - 02:11:20 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:45 MST