hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: [PATCH] Reworked digest auth
Date Sat, 13 Sep 2003 09:48:30 GMT
Odi,
The patch looks fine to me. There is just a few minor points that I
would like to be considered before the patch is committed:

- DigestScheme#DigestScheme( String ) constructor should probably log a
warning message or even throw an exception if it encounters an
unrecognised 'qop' element. Currently they are just silently ignored.
- Use StringBuffer to concatenate strings in DigestScheme#createDigest(
String, String ).
- A test case for unsupported qop in HTTP Digest authentication would be
nice.
- The patch makes a few public methods private (quite appropriately in
my opinion). Nobody is going to miss them, I think, however, the fact of
2.0 API breakage should be reflected in API_CHANGES_2_1.txt

Cheers

Oleg


On Thu, 2003-09-11 at 11:55, Ortwin Gl├╝ck wrote: 
> While reviewing a Patch to include MD5-sess into the Digest 
> Authentication Scheme I came across a few flaws in that class. I suggest 
> the following changes (see attached patch):
> 
> - The qop Parameter must be parsed correctly and not just be ignored
> - The fact that it is legal to have a missing qop must not be ignored
> - The class should be prepared to handle the auth-int qop option
>    (even though an implementation is not possible with the current design)
> - The public interface of this class is narrowed (as it is not needed by 
> the tests any more)
> - The test cases should check the actual result rather than checking for 
> equality after another run through the same logic. Note: This is not 
> simple for requests that require the client to generate a cnonce.
> 
> The patch is against HEAD. The 2.0 branch would be unaffected by these 
> changes.
> 
> Odi
> 
> ______________________________________________________________________
> --
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message