[standards-jig] NEW: Authenticating HTTP via Jabber

Matthew A. Miller linuxwolf at outer-planes.no-ip.com
Fri Jan 31 17:49:32 UTC 2003


The overall theme while drafting this was "make it usable with existing
implementations".  For all the methods that I could have employed, this
one appears to be the most compatible with existing specs, practices,
and implementations.  I developed this spec based on a lot research.

At first, I was trying to see usage of the existing WWW-Authenticate and
Authorization fields.  I didn't find them to fit well for a a few
reasons:

1)  both Basic and Digest do not *quite* fit this "dual-band" scheme [1]
2)  few (client | server) implementations of HTTP allow for
"overloading" the existing authentication schemes
3)  None of the implementations I found would allow for new schemes,
without significant, and non-trivial workarounds.  Most deny you the
ability to introduce new schemes altogether.

Next, I looked into utilizing cookies.  Again, most existing
implementations make cookie processing in non-standard ways "not easy". 
Some implementations allow for manipulating cookies before beginning an
HTTP transaction, but these were few and far between.  Plus, the
persistence of cookies, and the habit of some HTTP proxies (and many
implementations) to automagically cache them, regardless of the cookie's
defined lifetime, gave me pause.

The use of a custom header seemed to be the most practical and
implementable solution.  Every HTTP implementation I investigated allows
one to (quite easily) send and receive custom headers.  Proxies are
required (by the HTTP/1.0 and all existing HTTP/1.1 specs) to forward
unknown headers between the user-agent and the server (and vice versa). 
And, since (custom) headers do not have a persistence beyond the
immediate transaction, seemed the best fit for this usage.

The implementations I had looked into included a number of C and C++
libraries, a few Java tools, COM components, Tcl commands, and even
command-line tools like wget and curl.  Like I said, I tried to be
exhaustive. (-:


-  LW

[1] It is possible to fit this into the Digest scheme, but then you'll
run into obstacle-reason #2 


On Fri, 2003-01-31 at 08:47, Matthias Wimmer wrote: 
> --BEGIN PGP SIGNED MESSAGE--
> Hash: SHA1
> 
> Hi Peter!
> 
> Peter Saint-Andre wrote:
> | Matthew Miller has contributed a proposal for authenticating HTTP via
> | Jabber (to augment existing oob methods). The JEP is here:
> |
> | http://www.jabber.org/jeps/jep-0070.html
> 
> 
> Is there any reason for not using already existing HTTP authentication
> headers?
> 
> 
> Tot kijk
> ~    Matthias
> - --
> Fon: +49-(0)70 0770 07770       http://matthias-wimmer.de/
> Fax: +49-(0)89-312 88 654       jabber://mawis@charente.de
> HAM: DB1MW   OpenPGP: http://matthias-wimmer.de/encryption
> --BEGIN PGP SIGNATURE--
> Version: GnuPG v1.2.1 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE+Oqi0J/5jVqqDmvkRAhkpAJ9sD96F4m56IuAAaw7A6HbCqoEKHwCgjAH3
> pPCBMAql2TLY4xn+mw8JFIE=
> =WQJH
> --END PGP SIGNATURE--
> 
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig



-- 

Matt "linuxwolf" Miller
JID:	linuxwolf at outer-planes.net
E-MAIL:	linuxwolf at outer-planes.net

- Got "JABBER"? (http://www.jabber.org/)




More information about the Standards mailing list