[standards-jig] NEW: Authenticating HTTP via Jabber

Matthew A. Miller linuxwolf at outer-planes.no-ip.com
Fri Jan 31 17:49:32 UTC 2003

The overall theme while drafting this was "make it usable with existing
implementations".  For all the methods that I could have employed, this
one appears to be the most compatible with existing specs, practices,
and implementations.  I developed this spec based on a lot research.

At first, I was trying to see usage of the existing WWW-Authenticate and
Authorization fields.  I didn't find them to fit well for a a few

1)  both Basic and Digest do not *quite* fit this "dual-band" scheme [1]
2)  few (client | server) implementations of HTTP allow for
"overloading" the existing authentication schemes
3)  None of the implementations I found would allow for new schemes,
without significant, and non-trivial workarounds.  Most deny you the
ability to introduce new schemes altogether.

Next, I looked into utilizing cookies.  Again, most existing
implementations make cookie processing in non-standard ways "not easy". 
Some implementations allow for manipulating cookies before beginning an
HTTP transaction, but these were few and far between.  Plus, the
persistence of cookies, and the habit of some HTTP proxies (and many
implementations) to automagically cache them, regardless of the cookie's
defined lifetime, gave me pause.

The use of a custom header seemed to be the most practical and
implementable solution.  Every HTTP implementation I investigated allows
one to (quite easily) send and receive custom headers.  Proxies are
required (by the HTTP/1.0 and all existing HTTP/1.1 specs) to forward
unknown headers between the user-agent and the server (and vice versa). 
And, since (custom) headers do not have a persistence beyond the
immediate transaction, seemed the best fit for this usage.

The implementations I had looked into included a number of C and C++
libraries, a few Java tools, COM components, Tcl commands, and even
command-line tools like wget and curl.  Like I said, I tried to be
exhaustive. (-:

-  LW

[1] It is possible to fit this into the Digest scheme, but then you'll
run into obstacle-reason #2 

On Fri, 2003-01-31 at 08:47, Matthias Wimmer wrote: 
> Hash: SHA1
> Hi Peter!
> Peter Saint-Andre wrote:
> | Matthew Miller has contributed a proposal for authenticating HTTP via
> | Jabber (to augment existing oob methods). The JEP is here:
> |
> | http://www.jabber.org/jeps/jep-0070.html
> Is there any reason for not using already existing HTTP authentication
> headers?
> Tot kijk
> ~    Matthias
> - --
> Fon: +49-(0)70 0770 07770       http://matthias-wimmer.de/
> Fax: +49-(0)89-312 88 654       jabber://mawis@charente.de
> HAM: DB1MW   OpenPGP: http://matthias-wimmer.de/encryption
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQE+Oqi0J/5jVqqDmvkRAhkpAJ9sD96F4m56IuAAaw7A6HbCqoEKHwCgjAH3
> pPCBMAql2TLY4xn+mw8JFIE=
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig


Matt "linuxwolf" Miller
JID:	linuxwolf at outer-planes.net
E-MAIL:	linuxwolf at outer-planes.net

- Got "JABBER"? (http://www.jabber.org/)

More information about the Standards mailing list