httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 31905] - Challenges do not include an "opaque" directive
Date Wed, 27 Oct 2004 13:51:21 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31905>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31905

Challenges do not include an "opaque" directive





------- Additional Comments From jobollin@indiana.edu  2004-10-27 13:51 -------
Yes, I did report this to Macromedia as a bug.  Having read the spec before
posting this report, I think httpd's implementation follows its spirit in this
regard, and Dreamweaver's is buggy.  Perhaps I should have flagged this as an
RFE instead of a bug.  As I wrote in my initial comments, though, the spec does
not explicitly require the origin server to reject credentials such as those
described: it requires that if the server provides an opaque then the client
must echo it back to authenticate successfully, but it does not define required
behavior if the server doesn't send an opaque but the client responds with one.

I think the best solution would be one that avoids any reliance on grey areas in
the spec, hence the first thing I recommended was that the opaque directive be
included in challenges in the first place (thus making the required client
behavior unambiguous).  The opaque is already computed on the front end and
checked among the client's other authorization credentials, so that option
doesn't appear to be too much work.

Making httpd tolerant of Dreamweaver's behavior (and who knows what other
clients') by creating a special case for an empty opaque value would solve my
problem, though, so if that's what you prefer to implement then it's OK by me.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message