Hi All,
I have a query regarding redirect servers. When a
redirect server receives a request, should it examine proxy
related headers or UA related headers for its processing. For
example, should it examine Require or Proxy-Require header
to match it against its capability set. More importantly, should
it challenge the request with a 401 (containing Www-Authenticate)
or 407 (containing Proxy-Authenticate) ?
From bis-09, (line 4829-4830):
"Additionally, registrars and redirect servers MAY make use of 401
(Unauthorized) responses for authentication, but proxies MUST NOT,
and instead MAY use the 407 (Proxy Authentication Required) response."
But shouldn't a redirect server actually use a 407 instead of a
401 because:
a. The redirect server was not the final entity the request was
intended to. It was in the path of the request, and intercepted it
to send the redirection response.
b. If the server is acting as a redirect cum stateless proxy server,
and it redirects the request with a WWW-Authenticate, the UA might
retry the request with its credentials in an Authorization header.
Assuming that the request arrives at the same server, and needs to
be proxied this time around, the proxy would search for credentials
in Proxy-Authenticate headers, and would not find them...resulting
in another challenge loop.
407 seems the right thing to do, but I am curious what redirect
server implementations do presently...
Thanks in advance
Subhash Nayak.
Hughes Software Systems
http://www.hssworld.com
This message is proprietary to Hughes Software Systems Limited (HSS) and is
intended solely for the use of the individual to whom it is addressed. It
may contain privileged or confidential information and should not be
circulated or used for any purpose other than for what it is intended. If
you have received this message in error, please notify the originator
immediately. If you are not the intended recipient, you are notified that
you are strictly prohibited from using, copying, altering, or disclosing
the contents of this message. HSS accepts no responsibility for loss or
damage arising from the use of the information transmitted by this email
including damage from virus.
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
