serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jarno Elonen <elo...@iki.fi>
Subject Re: Passing custom auth headers from server?
Date Fri, 06 Oct 2017 10:19:47 GMT
> Read the documentation for HTTP status code 302 or 307. Subversion
> handles redirects.

Sure, but for the embedded-token-in-url scheme to work, it would need
to redirect not only the current URI but all the subsequent requests,
too - for each individual file it downloads etc. That is, the server
would have to make the client use a different *base* URL for all the
requests after the first one, which I don't think is possible?

> Of course, embedding authn tokens in the URL, where they're exposed
> before the SSL handshake (and will typically end up in server logs, too)
> is hardly secure.

I thought the URI is only passed to the server after SSL connection is
established - as in HTTP over SSL over IP.

Anyway, the URI scheme idea was more or less my desperate last
option. :) I'd obviously prefer custom authentication headers (unless
the Kerberos crash bug, where ever it is, is fixed first).

-Jarno

Mime
View raw message