I read the documents concerning WWW Access Authorization. I don't
Leaving out the message termination stuff (I wish
GET /some/document Authorization: KerberosV4
If the server does *not* support this form of authorization, it returns
If the server *does* support this form of authentication, it returns a
The reason the authentication protocol must be conducted over the same
Comments? (... as he hefts his Kevlar-reinforced asbestos body armor
agree with the contention that web-based documents won't need strictly
authenticated access control. Here at EINet we use a Kerberos-based
authentication system to establish
used for information transmission. (For best results, the
transmission itself would also be encrypted, but we can talk about
that later.) We don't believe this is too difficult *or* too slow for
use in the web.
the "HTTP/1.0 401" status code along with the name of an
authentication scheme it supports (as is proposed).
"please continue" status, and *holds the connection*. The client and
server then both call the appropriate Kerberos functions for mutual
authentication. The authentication is conducted over the open
connnection, using encrypted communcation. If authentication succeeds,
the server uses the authenticated identity to conduct the access
authorization, and either returns the requested data or an error
status.
connection as the data transmission is that the server cannot be
absolutely sure from one connection to the next whether it is talking
to the same client. That's the whole point of authentication, after
all.
into place :-)
--
wa | Wayne Allen, EINet - wa@mcc.com FAX: (512)338-3897
| MCC/ISD, 3500 West Balcones Center Dr, Austin, Tx 78759 (512)338-3754
| "...and this mess is so wide and so deep and so tall,