tag:blogger.com,1999:blog-1816408742331555186.post2803696779358590819..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: How does Kerberos actually work in the HTTP world?Chris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-1816408742331555186.post-34212150955524719222012-06-04T13:24:05.805-07:002012-06-04T13:24:05.805-07:00The HTTP spec says that browsers are supposed to t...The HTTP spec says that browsers are supposed to try them in "most secure to least secure" order. RFC 2617 says:<br /> " An HTTP/1.1 server may return multiple challenges with a 401<br /> (Authenticate) response, and each challenge may use a different<br /> auth-scheme. A user agent MUST choose to use the strongest auth-<br /> scheme it understands and request credentials from the user based<br /> upon that challenge.<br />"<br />https://www.ietf.org/rfc/rfc2617.txt<br /><br />Servers should (will?) always order them from most secure to least secure anyway, but if they don't then the browser will also apply its own ordering.<br /><br />Or at least that's how it's supposed to work. :-)Chris Johnson (Oracle)https://www.blogger.com/profile/13331466366556759355noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-72119680068689083222012-05-07T10:33:44.341-07:002012-05-07T10:33:44.341-07:00Hi Chris,
Thanks for the wonderful post.
Do yo...Hi Chris, <br /><br />Thanks for the wonderful post. <br /><br />Do you think we should clarify the priority of the authentication types "Negotiate", "NTLM", "Digest", "Basic" in case server responds with more than one WWW-Authenticate. If I am not wrong, clients(ex: chrome), by default, enforce a priority order of authentication type irrespective of the header responses from server. <br /><br />MurariLost IN Translationhttps://www.blogger.com/profile/08350180058234642081noreply@blogger.com