Dale Worley wrote:
From: Paul Kyzivat
I don't think the concept of challenging based on all the realms the
server supports, and expecting the caller to pick one, works. If the
caller receives a 407 Proxy Authenticate with multiple challenges, I
believe it will think it must provide credentials for *each*
challenge,
rather than just picking one. (Normally this case would arise
because of
challenges from multiple independent proxies.) Perhaps the
situation is
different for a 401 response, but I doubt it.
I would expect that if the caller receives a 401/407, then it would supply
credentials it has for any realms mentioned, since it has no way of knowing
which credentials are needed (and for which stages of processing). Of
course, it doesn't know if the credentials it has suffices to gain access,
but it has no way of knowing that anyway.
I suspect that in practice a UA has one or a very few credentials, and
probably just sends them all if it is responding to a 401/407.
I think this depends on the capabilities of he UA. If the UA has some
stored credentials and no way to request more, then it will *probably*
do as you suggest - respond to the challenges it has credentials for and
hope for the best.
But a UA that can query for credentials is a different story. Consider a
softphone. When challenged for some new realm, it can pop up a
username/password dialog. If there are multiple challenges, then it is
likely to prompt for each. So the user may be forced to make up user
names and passwords for realms he doesn't understand.
No *maybe* a UA accept a "cancel" for some of those prompts, and then
try using the ones that are answered. But there is no certainty of that,
and in any case it would provide a bad user experience.
Paul
_______________________________________________
Sip-implementors mailing list
[email protected]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
