[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a
From: |
Darshit Shah |
Subject: |
Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test |
Date: |
Sat, 22 Nov 2014 23:53:58 +0530 |
Multiple challenges in a single header are allowed. I had to hack a
workaround in the Test suite explicitly to support this behaviour.
I quote RFC 2616, sec. 14.47
The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at least one
challenge that indicates the authentication scheme(s) and parameters
applicable to the Request-URI.
WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge
The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [43]. User agents
are advised to take special care in parsing the WWW- Authenticate field
value as it might contain more than one challenge, or if more than one
WWW-Authenticate header field is provided, the contents of a challenge
itself can contain a comma-separated list of authentication parameters.
Also, do take a look at this mailing list thread:
http://lists.w3.org/Archives/Public/ietf-http-wg/2009OctDec/0295.html
Thanking You,
Darshit Shah
Sent from mobile device. Please excuse my brevity
On 22-Nov-2014 11:26 pm, "Tim Rühsen" <address@hidden> wrote:
> Am Samstag, 22. November 2014, 16:24:18 schrieb Darshit Shah:
> > Another reason why I never got around to implementing this feature is
> that
> > it is required by almost no one. The issue at hand is that when a Server
> > responds with two possible authentication methods, the client is expected
> > to choose the strongest one it knows. Instead Wget chooses the first one
> it
> > knows. This violates the RFC and hence I marked it up as a bug. I'll
> > probably add all this information into the test file in a while and push
> > it.
>
> I just implemented this feature in (selecting the strongest auth method).
>
> But the HTTP test server offers both (Digest,Basic) within a single WWW-
> Authenticate line. The ABNF in RFC2616 does not allow this:
>
> 3.2.1 The WWW-Authenticate Response Header
>
> If a server receives a request for an access-protected object, and an
> acceptable Authorization header is not sent, the server responds with
> a "401 Unauthorized" status code, and a WWW-Authenticate header as
> per the framework defined above, which for the digest scheme is
> utilized as follows:
>
> challenge = "Digest" digest-challenge
>
> digest-challenge = 1#( realm | [ domain ] | nonce |
> [ opaque ] |[ stale ] | [ algorithm ] |
> [ qop-options ] | [auth-param] )
>
>
> domain = "domain" "=" <"> URI ( 1*SP URI ) <">
> URI = absoluteURI | abs_path
> nonce = "nonce" "=" nonce-value
> nonce-value = quoted-string
> opaque = "opaque" "=" quoted-string
> stale = "stale" "=" ( "true" | "false" )
> algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
> token )
> qop-options = "qop" "=" <"> 1#qop-value <">
> qop-value = "auth" | "auth-int" | token
>
>
> I knowledge is, that the server has to send two lines of WWW-Authenticate
> to
> offer two authentication methods. Maybe I am wrong, but I would like to
> know
> from where you got further information. Or is it just a mistake ?
>
> Example from Test HTTP server:
> WWW-Authenticate: BasIc realm="Wget-Test", DIgest realm="Test",
> nonce="f07e391eb19dfb441f191f5de7ba687f",
> opaque="548c574974e749c0cfae06302b9e559b", qop="auth"
>
> Don't start to fix the test server, I have it fixed and just await your
> answer.
>
> Tim
>
- [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Tim Ruehsen, 2014/11/21
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Darshit Shah, 2014/11/21
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Tim Rühsen, 2014/11/22
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Darshit Shah, 2014/11/22
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Tim Rühsen, 2014/11/22
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Tim Rühsen, 2014/11/22
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test,
Darshit Shah <=
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Tim Rühsen, 2014/11/22
- Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test, Daniel Stenberg, 2014/11/25
- Re: [Bug-wget] [PATCH] Let Wget select strongest auth challenge, Tim Rühsen, 2014/11/22
- Re: [Bug-wget] [PATCH] Let Wget select strongest auth challenge, Giuseppe Scrivano, 2014/11/26
- Re: [Bug-wget] [PATCH] Let Wget select strongest auth challenge, Tim Ruehsen, 2014/11/26