couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: /_session doesn't respond correctly to missing authorization
Date Fri, 11 Nov 2011 08:23:20 GMT
This deviation is deliberate. The reason we don't send it by default
is that the popup dialog cannot be controlled or styled, and the
browser's rendering is considered unacceptable.

There's a setting, described in the stock local.ini, that adds it;

; Uncomment next line to trigger basic-auth popup on unauthorized requests.
;WWW-Authenticate = Basic realm="administrator"

B.

On 11 November 2011 01:10, Jason Smith <jhs@iriscouch.com> wrote:
> On Fri, Nov 11, 2011 at 7:46 AM, Jens Alfke <jens@couchbase.com> wrote:
>> CouchDB’s _session endpoint is violating the HTTP 1.1 spec in the way it responds
when not given a valid username/password.
>>
>> Here’s what RFC 2616 says:
>>> 10.4.2 401 Unauthorized
>>> The request requires user authentication. The response MUST include a WWW-Authenticate
header field (section 14.47) containing a challenge applicable to the requested resource.
>
> Interesting. What is the link to the JIRA ticket you created about this? :p
>
> You can work around this in the meantime by setting whatever header
> value you want in /_config/httpd/WWW-Authenticate. It will appear in
> your 401s.
>
> --
> Iris Couch
>

Mime
View raw message