[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PaceSecurityServices & Digest auth
* Ezra Cooper wrote:
>I see three issues to be addressed with Digest:
>
> (1) Some web-servers remove the WWW-Authenticate header before
>passing it to a CGI program.
The relevant header is the "Authorization" request header,
WWW-Authenticate is a response header which a CGI program
would normally not see but rather emit.
>========
>An Atom client MAY authenticate itself to an Atom server by sending an
>X-Atom-Authenticate HTTP header, in the same form as for the
>WWW-Authenticate header [RFC2617]. If an Atom client sends a
>WWW-Authenticate header, it SHOULD have the same value as the
>X-Atom-Authenticate header.
>========
So this does not really make sense to me. It seems the server would
send an Atom-Authenticate header, but then I ask why it is not e.g.
'WWW-Authenticate: Atom' since clients should not have a problem
generating such a header. So, do you mean clients should send an
Atom-Authorization header that would replicate an Authorization
header that the client would send, too, to bypass the security
mechanism that some web servers employ to hide the Authorization
header? An example communication transcript would we useful.