WWW-Authenticate header

Fasih faskiri.devel at gmail.com
Tue Jan 14 08:47:34 UTC 2014


Created http://trac.nginx.org/nginx/ticket/485#ticket to track this.

Thanks!


On Mon, Jan 13, 2014 at 9:08 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Sat, Jan 11, 2014 at 10:28:52PM +0530, Fasih wrote:
>
> > Yes, that's how I noticed it. I am using nginx as a reverse proxy. The
> > upstream sends two WWW-Authenticate headers with different realms. I was
> > processing www_authenticate header and hadnt realized that it was legal
> to
> > send multiple WWW-Authenticate headers.
>
> Looks like there are indeed valid real-world uses, see e.g. here:
>
> http://stackoverflow.com/a/15894841/1597813
>
> I don't think we want to change www_authenticate to ngx_array_t,
> but it certainly counts as another case requiring better support
> for multiple headers, much like with $upstream_http_set_cookie and
> multiple Set-Cookie headers, and so on.
>
> >
> > On Fri, Jan 10, 2014 at 7:19 PM, Maxim Dounin <mdounin at mdounin.ru>
> wrote:
> >
> > > Hello!
> > >
> > > On Fri, Jan 10, 2014 at 05:42:23PM +0530, Fasih wrote:
> > >
> > > > Hi
> > > >
> > > > RFC allows a server to respond with multiple WWW-Authenticate header
> (
> > > > http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).
> > > >
> > > > "User agents are advised to take special care in parsing the WWW-
> > > > Authenticate field value as it might contain more than one
> challenge, or
> > > if
> > > > more than one WWW-Authenticate header field is provided, the
> contents of
> > > a
> > > > challenge itself can contain a comma-separated list of authentication
> > > > parameters."
> > > >
> > > > However nginx defines WWW-Authenticate header as an ngx_table_elt_t
> in
> > > > the ngx_http_headers_out_t struct as opposed to an ngx_array_t like
> other
> > > > allowed repeated value headers.
> > > >
> > > > Is this a bug that I should file?
> > >
> > > Have you seen this to be a problem in real life?
> > >
> > > --
> > > Maxim Dounin
> > > http://nginx.org/
> > >
> > > _______________________________________________
> > > nginx-devel mailing list
> > > nginx-devel at nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> > >
>
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140114/26aa933a/attachment.html>


More information about the nginx-devel mailing list