On Wed, 22 Oct 2014, Stefan Bühler wrote:
And afaict both authenticate the connection (both squid3 and MS Proxy work
that way) and not the request. Negotiate is basically a wrapper around NTLM
that also supports Kerberos; squid3 contains a negotiate_wrapper that takes
a NTLM and a Kerberos authenticator
It is that two different actual protocols thing that has kept me confused,
because Kerberos authentication should be possible to do on a per-request
basis while NTLM is a per-connection thing. I'm now thinking that Negotiate
perhaps always have to be considered to be per-connection for it to work
properly.
This of course requires some adjustments in the code to make it so.
So: IMHO the header should always be cleaned up, and the authentication
states should be moved to the connection state; because Digest will break
even with this patch, as you need the counter - Basic auth ofc works if you
don't cleanup the header.
HTTP authentication is not associated to the exact TCP connection so it cannot
always be stored on a per-connection basis. HTTP and libcurl can keep the
authenticated state even when creating new connections to continue on.
Connection-based authentication methods are violators of the HTTP spec and
thus we handle them separately from the "normal" ones. We need to start
handling Negotiate as we handle NTLM I guess.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
