https://issues.apache.org/bugzilla/show_bug.cgi?id=45058
--- Comment #2 from Christoph Anton Mitterer <[email protected]> --- AFAIU it's not exactly defined at which level AUTH_TYPE specifies the type... RFC 3875 says: 4.1.1. AUTH_TYPE The AUTH_TYPE variable identifies any mechanism used by the server to authenticate the user. It contains a case-insensitive value defined by the client protocol or server implementation. For HTTP, if the client request required authentication for external access, then the server MUST set the value of this variable from the 'auth-scheme' token in the request Authorization header field. AUTH_TYPE = "" | auth-scheme auth-scheme = "Basic" | "Digest" | extension-auth extension-auth = token HTTP access authentication schemes are described in RFC 2617 [5]. One might take the HTTP literally i.e. "not HTTPS"... but again... this is just one possible interpretation. The problem is that more than one authentication types could have taken place, e.g. first SSL client certificate login ... and afterwards HTTP Basic Auth.... and there's currently no way to specify a list of authentication types that have taken place. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
