[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a

From: Tim Rühsen
Subject: Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test
Date: Sat, 22 Nov 2014 18:56:43 +0100
User-agent: KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; )

Am Samstag, 22. November 2014, 16:24:18 schrieb Darshit Shah:
> Another reason why I never got around to implementing this feature is that
> it is required by almost no one. The issue at hand is that when a Server
> responds with two possible authentication methods, the client is expected
> to choose the strongest one it knows. Instead Wget chooses the first one it
> knows. This violates the RFC and hence I marked it up as a bug. I'll
> probably add all this information into the test file in a while and push
> it.

I just implemented this feature in (selecting the strongest auth method).

But the HTTP test server offers both (Digest,Basic) within a single WWW-
Authenticate line. The ABNF in RFC2616 does not allow this:

3.2.1 The WWW-Authenticate Response Header

   If a server receives a request for an access-protected object, and an
   acceptable Authorization header is not sent, the server responds with
   a "401 Unauthorized" status code, and a WWW-Authenticate header as
   per the framework defined above, which for the digest scheme is
   utilized as follows:

      challenge        =  "Digest" digest-challenge

      digest-challenge  = 1#( realm | [ domain ] | nonce |
                          [ opaque ] |[ stale ] | [ algorithm ] |
                          [ qop-options ] | [auth-param] )

      domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
      URI               = absoluteURI | abs_path
      nonce             = "nonce" "=" nonce-value
      nonce-value       = quoted-string
      opaque            = "opaque" "=" quoted-string
      stale             = "stale" "=" ( "true" | "false" )
      algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
                           token )
      qop-options       = "qop" "=" <"> 1#qop-value <">
      qop-value         = "auth" | "auth-int" | token

I knowledge is, that the server has to send two lines of WWW-Authenticate to 
offer two authentication methods. Maybe I am wrong, but I would like to know 
from where you got further information. Or is it just a mistake ?

Example from Test HTTP server:
WWW-Authenticate: BasIc realm="Wget-Test", DIgest realm="Test", 
opaque="548c574974e749c0cfae06302b9e559b", qop="auth"

Don't start to fix the test server, I have it fixed and just await your answer.

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]