Does anyone have any experience of supporting multiple realms in HTTP Authentication?
The Microsoft website states:
Each authenticate response header
contains an available authentication
scheme and a realm. If multiple
authentication schemes are supported,
the server returns multiple
authenticate response headers. The
realm value is case-sensitive and
defines a protection space on the
proxy or server. For example, the
header “WWW-Authenticate: Basic
Realm=”example”” would be an example
of a header returned when server
authentication is required.
This suggests that different areas of a website can be secured using different authentication methods. What we are confused about is how to determine what realm should be stated in the server response to a client request.
Does anyone have any examples of how multiple realms work?
The HTTP specification allows for multiple
WWW-Authenticatechallenges to be present in a response, either within the sameWWW-Authenticateheader or using multipleWWW-Authenticateheaders within the same response.There are problems associated with this, as described in RFC 2617, section 4.6. In theory, the client must choose the strongest authentication mechanism available, however, defining which one is the strongest is not always obvious.
I’ve never tried with multiple realms (and the same scheme, for example Basic), but I’m not aware of anything disallowing it. The main problem with multiple realms and the same scheme is that the browser is likely to be confused in terms of user-interface, in particular which realm it challenges the user with.