Re: [hybi] WebSocket handshake (HTTP and SSO)

[Scott Ferguson <ferg@caucho.com>]

Greg Wilkins wrote:
> On 31 August 2010 03:54, Hector Santos <hsantos@isdg.net> wrote:
>   
>> Scott Ferguson wrote:
>>     
>>> If we just punt and make applications write their own authentication
>>> instead of piggybacking on the handshake, it would cost an extra round trip.
>>>       
>> But you also can't prevent this
>>     
>
> +1
>
> The handshake is a HTTP request that in many cases will be directed at
> a general purpose HTTP server running applications that often have
> sophisticated and mandated authentication mechanisms.
>
> It may be difficult for deployers to get an exception to a deployment
> policy that says: "all web applications will use XYZ authentication",
> so any inability for the handshake to penetrate work with common
> authentication mechanisms will an impediment to deployment.   Allowing
> authentication exceptions for websocket handshakes may complicate
> authentication schemes and increase risk of human error creating
> security holes. Even if authentication exceptions are allowed for the
> websocket, human error will mean that sometime wrong URL will be used
> and the ws handshake will see authentication failures, so at the very
> least these need to be handled in a reasonable way.
>
> I really don't think we want to be in the game of: "oh you are using
> XyZ authentication! why do you want to use that? You can use WS if
> only you change to use PqY authentication".  We should just work with
> commonly deployed HTTP authentication mechanisms, even if we think
> they are rubbish etc.
>   

What are you talking about?

I'm just pointing out that the current handshake cannot support any 
challenge/response authentication mechanism like HTTP DIGEST. It's only 
capable of HTTP BASIC authentication.

-- Scott

>
> cheers
>
>
>
>