Bug 37 - must consume (and remove) Proxy-Authorization headers
Summary: must consume (and remove) Proxy-Authorization headers
Status: NEW
Alias: None
Product: repro
Classification: Unclassified
Component: proxy (show other bugs)
Version: unspecified
Hardware: Other All
: P1 normal
Assignee: Owner of all unassigned bugs
Depends on:
Reported: 2012-09-26 16:19 CDT by Daniel Pocock
Modified: 2012-09-26 16:19 CDT (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Pocock 2012-09-26 16:19:21 CDT
When forwarding a message, the proxy should remove a Proxy-Authorization header that it has consumed.

There is already code for doing this but it is commented out.

Relevant comments from the RFC 3261:

s22.1  "The requirements for inclusion of the Proxy-Authenticate,
   Proxy-Authorization, WWW-Authenticate, and Authorization in the
   various messages are identical to those described in RFC 2617 [17]."

s22.3 "The use of Proxy-Authenticate and Proxy-Authorization parallel that
   described in [17], with one difference.  Proxies MUST NOT add values
   to the Proxy-Authorization header field."

"A Proxy-Authorization header field value applies only to the proxy
   whose realm is identified in the "realm" parameter (this proxy may
   previously have demanded authentication using the Proxy-Authenticate
   field).  When multiple proxies are used in a chain, a Proxy-
   Authorization header field value MUST NOT be consumed by any proxy
   whose realm does not match the "realm" parameter specified in that

In particular, RFC 2617 is the HTTP RFC, and it mandates that proxies remove headers that they have used to successfully.  This rule isn't explicitly written in the SIP RFC, but it is implied.