< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

Re: [reSIProcate] RE: ServerAuthManager ?


On Wed, 2006-02-22 at 13:58 -0500, Scott Godin wrote:
> > I've started working on async, I've also reported a new issue that I
> > will fix as part of the async patch:
> > 
> >     http://track.sipfoundry.org/browse/RSP-29
> 
> [Scott] We should be really careful about this.  We should only issue a
> 407 if we haven't already done so for this request.  If we don't do this
> check we could get into an endless loop with poorly behaved UA's. ie.
> UA's that always just send a bad realm, when challenged.

"As opposed to what?"

We could send a 400 in response to a second identical attempt that has
the same authorization problem, but there's no guarantee that the UA
wouldn't attempt to re-send after that, either.

If you mean, "Never send a 407 if it already has an authorization
header." that won't work -- a request can legitimately have several
authorization headers.  But maybe you have a way to detect whether a
request really is a re-send in response to a 407 from this proxy.

Dale