Re: NTLM question

From: Robert Collins <robert.collins@dont-contact.us>
Date: 22 Aug 2001 11:00:28 +1000

On 22 Aug 2001 02:43:53 +0200, Henrik Nordstrom wrote:
> Robert Collins wrote:
>
> > > It is the "child" proxy responsibility to log in to the "parent", not the end
> > > users/browsers. How this is done is up to the implementation of the
> > > "child" proxy.
> >
> > There is also a MAY in HTTP/1.1 that allows proxies to cooperate by
> > passing the users credentials around.
>
> Not really. HTTP/1.1 does not care how the child finds the users credentials. This
> is application defined.

I thought the child was the one closed to the end user? In which case
the child creates the Proxy auth challenge and consumes the response.
 
> It is trye that the proxy MAY relay the user credentials as part of the
> application defined process of finding the credentials required to log in to the
> parent proxy, but this is not the same as forwarding the
> Proxy-Authenticate/Proxy-Authorize headers.

Gotcha, thanks, that fine point had missed me.

So we are allowed to create X-Squid-Credentials=robertc and add that to
our request to the parent, and have it treat the username as being
robertc. (If we don't choose to regenerate a new proxy-authorisation
header for the next hop.)

> Yes, the borderline in terminology and functionality is very thin, but still quite
> distinct.
>

Rob
Received on Tue Aug 21 2001 - 19:12:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:15 MST