tags:

views:

37

answers:

1
Q: 

HTTP Authentication - WWW-Authenticate header - multiple realms

Does anyone have any experience of supporting multiple realms in HTTP Authentication?

The Microsoft website states:

Each authenticate response header contains an available authentication scheme and a realm. If multiple authentication schemes are supported, the server returns multiple authenticate response headers. The realm value is case-sensitive and defines a protection space on the proxy or server. For example, the header "WWW-Authenticate: Basic Realm="example"" would be an example of a header returned when server authentication is required.

This suggests that different areas of a website can be secured using different authentication methods. What we are confused about is how to determine what realm should be stated in the server response to a client request.

Does anyone have any examples of how multiple realms work?

+1  A: 

The HTTP specification allows for multiple WWW-Authenticate challenges to be present in a response, either within the same WWW-Authenticate header or using multiple WWW-Authenticate headers within the same response.

There are problems associated with this, as described in RFC 2617, section 4.6. In theory, the client must choose the strongest authentication mechanism available, however, defining which one is the strongest is not always obvious.

I've never tried with multiple realms (and the same scheme, for example Basic), but I'm not aware of anything disallowing it. The main problem with multiple realms and the same scheme is that the browser is likely to be confused in terms of user-interface, in particular which realm it challenges the user with.

Bruno  2010-08-26 15:08:31
Regarding multiple WWW-Authenticate challenges, is there a consensus on whether use multiple WWW-Authenticate headers or to have multiple challenges within the same WWW-Authenticate header?
S0rin  2010-09-02 15:09:57
According to the specification, it's supposed to be equivalent, so conforming user-agents should support both. Whether they do it in practice, I'm not sure.
Bruno  2010-09-02 16:11:43

related questions

Basic HTTP Authentication on iPhone
Can I coerce Apache into not including a WWW-Authenticate header for failed HTTP Basic Auth?
How do I keep Firefox from prompting for username/password with HTTP Basic Auth with JQuery AJAX?
Apache .htaccess password protect with relative path
HTTP Authentication Headers for IIS windows authentication
How can an Ajax callback realize that a user's authenticated session has timed out?
IIS as reverse proxy
Designing a web api: How to authenticate?
Authenticating to Google Search Appliance using Basic HTTP auth and ASP.NET (VB)
How do I secure authentication but not the payload?
HTTP Digest Authentication versus SSL
What should we implement to authorize clients to use our web service?
Handling http authenticated urls from elisp
Flex 3 - how to support HTTP Authentication URLRequest?
HTTP Basic Authentication with HTTPService Objects in Adobe Flex/AIR
How does wininet handle cookies
IIS7 and Authentication problems
Apache/.htaccess - password-protecting a domain but whitelisting certain URIs within it
Why is the http auth UI so poor in browsers?
WCF WebHttp Mixed Authentication (Basic AND Anonymous)
HTTP Authentication (Basic or Digest) in ASP Classic via IIS
Can I use HTTP Basic Authentication with Django?
Kerberos and T125 protocol
How can I supress the browser's authentication dialog?
GreaseMonkey script to auto login using HTTP authentication