serf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: Passing custom auth headers from server?
Date Fri, 06 Oct 2017 11:02:00 GMT
On 06.10.2017 12:19, Jarno Elonen wrote:
>> Read the documentation for HTTP status code 302 or 307. Subversion
>> handles redirects.
> Sure, but for the embedded-token-in-url scheme to work, it would need
> to redirect not only the current URI but all the subsequent requests,
> too - for each individual file it downloads etc. That is, the server
> would have to make the client use a different *base* URL for all the
> requests after the first one, which I don't think is possible?

As far as Subversion is concerned (and note that this is the Serf dev
list, so slightly off topic), it will do the same as any browser does
for a (temporary) redirect: it'll change the URL for the current session
to whatever is in the returned Location header.

>> Of course, embedding authn tokens in the URL, where they're exposed
>> before the SSL handshake (and will typically end up in server logs, too)
>> is hardly secure.
> I thought the URI is only passed to the server after SSL connection is
> established - as in HTTP over SSL over IP.

It is, unless you have automatic redirect from HTTP to HTTPS ... or
someone uses the HTTP scheme by mistake. And it _will_ usually be logged
by the server. The logging part can be disabled, of course, but it's
extra legwork.

> Anyway, the URI scheme idea was more or less my desperate last
> option. :) I'd obviously prefer custom authentication headers (unless
> the Kerberos crash bug, where ever it is, is fixed first).

Understood.

-- Brane


Mime
View raw message