On Mon, 2007-11-12 at 17:35 +0100, Kevin Crosbie wrote:
> Kevin Crosbie wrote:
> > I guess I can store the Proxy-Authorization header as a string and set
> > the header value every time I make a request.
> >
>
> Looks like it's not so easy to just save the Proxy-Authorization header.
> If I say:
> <snip>
> if (this.authHeader != null)
> method.setRequestHeader(this.authHeader);
> </snip>
> <snip>
> int status = client.executeMethod(method);
> </snip>
> <snip>
> this.authHeader = method.getRequestHeader("Proxy-Authorization");
> </snip>
>
> where this.authHeader is of type org.apache.commons.httpclient.Header
> and the <snip></snip> are pieces taken from my code where more code runs
> between snips, such as setDoAuthentication etc.
>
> This works fine, if the challenge is always correct but if, say, the
> nonce had changed between posts, then the challenge is not processed a
> second time (i.e. the header that I added is taken to be the response to
> the challenge generated in this iteration).
>
> I guess the only way to fix this is to change the authorizers so that
> they can cache intermediate requests and try to authenticate at least
> one more time in the case of Digest authentication if a challenge is
> received after a post.
>
Kevin,
There is a trade-off between security and performance. The whole of
point of generating new nonce values is to make Digest authentication
less prone to brute-force attacks. The less frequently nonce changes,
the more likely is the change the authentication can be brute-forced.
Preemptive authentication simply defeats the purpose of the Digest
authentication scheme.
In general any kind of preemptive authentication is a security risk.
Oleg
> Anyway, just thought I'd update.
>
> Best Regards,
>
> Kevin Crosbie
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
