httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38114] New: - Authorization header ignored -- it should be handled always
Date Wed, 04 Jan 2006 00:25:32 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38114>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38114

           Summary: Authorization header ignored -- it should be handled
                    always
           Product: Apache httpd-2
           Version: 2.0.49
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_auth
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: lisa@osafoundation.org
                CC: gstein@lyra.org,julian.reschke@gmx.de


We're trying to understand how HTTP and WebDAV clients can pre-emptively
authenticate.  I note in looking for duplicate bugs on this topic that there's
already been some work on getting HTTP-client to be able to pre-emptively
authenticate (http://issues.apache.org/bugzilla/show_bug.cgi?id=10532).  But we
seem to have found a case where this doesn't work -- perhaps it's because the
resource we queried doesn't require authentication in order to download.  

Here's the telnet session of Julian Reschke testing this:

Trying 66.96.29.211...
Connected to www.webdav.org.
Escape character is '^]'.
GET /bind/ HTTP/1.1
Host: www.webdav.org
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==


HTTP/1.1 200 OK
Date: Sat, 31 Dec 2005 11:11:56 GMT
Server: Apache/2.0.49 (Fedora)
Last-Modified: Mon, 18 Jul 2005 13:44:03 GMT
ETag: "46d0c1-5df6-cae68ec0"
Accept-Ranges: bytes
Content-Length: 24054
Content-Type: text/html; charset=UTF-8

<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

... rest of response truncated ...

---

What we expected to happen, rather than a 200 OK, would be a 401 Unauthenticated
with an authentication challenge.  Once the client gets the authentication
challenge with the domain, it can maybe do a successful authentication.

My understanding of why it should happen that way is based on RFC2617
(http://rfc.net/rfc2617.html#s1.2):

   "If the origin server does not wish to accept the credentials sent
   with a request, it SHOULD return a 401 (Unauthorized) response. The
   response MUST include a WWW-Authenticate header field containing at
   least one (possibly new) challenge applicable to the requested
   resource."

In this case webdav.org is the origin server, and we believe it did not accept
the credentials.  Those credentials (copied from the example in RFC2617) should
map to the userid "Aladdin" and password "open sesame" which we didn't expect
ought to work :)

Is there something we're not aware of here or some reason why the server ignores
the SHOULD in RFC2617?  -- thanks

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message