PROXY  WHOIS  RQUOTE  TEXTS  SOFT  FOREX  BBOARD
 Music  Philosophy  Code  Literature  Russian

= ROOT|Technical|RFC|rfc2617.txt =

page 2 of 20 



    4.7   Online dictionary attacks.........................  23
    4.8   Man in the Middle.................................  24
    4.9   Chosen plaintext attacks..........................  24
    4.10  Precomputed dictionary attacks....................  25
    4.11  Batch brute force attacks.........................  25
    4.12  Spoofing by Counterfeit Servers...................  25
    4.13  Storing passwords.................................  26
    4.14  Summary...........................................  26
   5   Sample implementation................................  27
   6   Acknowledgments......................................  31




 
RFC 2617                  HTTP Authentication                  June 1999


   7   References...........................................  31
   8   Authors' Addresses...................................  32
   9   Full Copyright Statement.............................  34

1 Access Authentication

1.1 Reliance on the HTTP/1.1 Specification

   This specification is a companion to the HTTP/1.1 specification [2].
   It uses the augmented BNF section 2.1 of that document, and relies on
   both the non-terminals defined in that document and other aspects of
   the HTTP/1.1 specification.

1.2 Access Authentication Framework

   HTTP provides a simple challenge-response authentication mechanism
   that MAY be used by a server to challenge a client request and by a
   client to provide authentication information. It uses an extensible,
   case-insensitive token to identify the authentication scheme,
   followed by a comma-separated list of attribute-value pairs which
   carry the parameters necessary for achieving authentication via that
   scheme.

      auth-scheme    = token
      auth-param     = token "=" ( token | quoted-string )

   The 401 (Unauthorized) response message is used by an origin server
   to challenge the authorization of a user agent. This response MUST
   include a WWW-Authenticate header field containing at least one
   challenge applicable to the requested resource. The 407 (Proxy
   Authentication Required) response message is used by a proxy to
   challenge the authorization of a client and MUST include a Proxy-
   Authenticate header field containing at least one challenge
   applicable to the proxy for the requested resource.

      challenge   = auth-scheme 1*SP 1#auth-param

   Note: User agents will need to take special care in parsing the WWW-
   Authenticate or Proxy-Authenticate header field value if it contains
   more than one challenge, or if more than one WWW-Authenticate header
   field is provided, since the contents of a challenge may itself
   contain a comma-separated list of authentication parameters.

   The authentication parameter realm is defined for all authentication
   schemes:

      realm       = "realm" "=" realm-value
      realm-value = quoted-string




 
RFC 2617                  HTTP Authentication                  June 1999


   The realm directive (case-insensitive) is required for all
   authentication schemes that issue a challenge. The realm value
   (case-sensitive), in combination with the canonical root URL (the
   absoluteURI for the server whose abs_path is empty; see section 5.1.2
   of [2]) of the server being accessed, defines the protection space.
   These realms allow the protected resources on a server to be
   partitioned into a set of protection spaces, each with its own
   authentication scheme and/or authorization database. The realm value
   is a string, generally assigned by the origin server, which may have
   additional semantics specific to the authentication scheme. Note that
   there may be multiple challenges with the same auth-scheme but
   different realms.

   A user agent that wishes to authenticate itself with an origin
   server--usually, but not necessarily, after receiving a 401
   (Unauthorized)--MAY do so by including an Authorization header field
   with the request. A client that wishes to authenticate itself with a
   proxy--usually, but not necessarily, after receiving a 407 (Proxy
   Authentication Required)--MAY do so by including a Proxy-
   Authorization header field with the request.  Both the Authorization
   field value and the Proxy-Authorization field value consist of
   credentials containing the authentication information of the client
   for the realm of the resource being requested. The user agent MUST
   choose to use one of the challenges with the strongest auth-scheme it
   understands and request credentials from the user based upon that
   challenge.
=2=

1| < PREV = PAGE 2 = NEXT > |3|4|5|6|7|8|9|10|11.20

UP TO ROOT | UP TO DIR | TO FIRST PAGE

Google
 


E-mail Facebook Google Digg del.icio.us BlinkList Fark Furl Ma.gnolia Netscape NewsVine Reddit Slashdot Spurl StumbleUpon Technorati YahooMyWeb LiveJournal Blogmarks TwitThis Live News2.ru BobrDobr.ru Memori.ru MoeMesto.ru

0.0103672 wallclock secs ( 0.01 usr + 0.01 sys = 0.02 CPU)