Matt, Matthew Smith wrote: > Hello! > > Is it correct to say that a response can only have one authenticate in > the headers? That a request containing a WWW-Authenticate cannot have a > Proxy-Authenticate as well? > > If I have a site which requires authentication with a given scheme, am I > right to assume that the only way a authenticating proxy between the > site and the user can use authentication is if the authentication tokens > sent by the user are the same for the proxy and the site? Is basic > authentication the only auth system that can be chained in this way? > > Lastly, assuming a proxy with no auth, is it now possible to have a > WWW-Authenticate using the NTLM scheme pass though a squid proxy? In the > past I believe the answer is no, but I want to be sure nothing has > changed since. I wouldn't have thought a response could contain both headers. But what would happen is the request would be sent to the proxy, you'd authenticate, then the request would be forwarded to the target site which would then request authentication. A request can have both headers. As long as your clients are aware of the proxy then they will happily authenticate to it (with Proxy-Authorization) and then authenticate to the target website (with Authorization). Neil. -- Neil Hillard neil.hillard@xxxxxxxxxxxxxxxxxx AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd.
