httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ragini Bisarya" <ragini.bisa...@gmail.com>
Subject [users@httpd] 100-continue response when 401 expected - Apache 2.2.26
Date Tue, 16 Oct 2007 01:15:42 GMT
Hi,

I see a difference in the way Apache responds to a Expect:
100-continue header in version 1.3.33 vs 2.2.6. The 1.3.33 handling is
correct. I feel the 2.2.6 handling is a bug.

For PUT requests with a Expect: 100-continue header, Apache 2.2.6
server sends a HTTP/1.1 100 Continue response before checking to see
if a 401 or 405 response might need to be sent for the request.

The client ends up sending the entire PUT or POST body in response to
the 100 continue only to have it be rejected by the server due to a
401, then having to resend the request with the authentication header
and the entire message body a second time. This defeats the purpose of
the continue response stated in the HTTP 1.1 RFC -
http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.2.3

Apache 1.3.33 on the other hand, checks for the 401 condition before
sending a 100 Continue response. It sends a 401 to the client. This
allows the client to include an appropriate Authentication header when
resending the request. This improves the chances of the request being
accepted by the server and the client needs to send the message body
just once.

Since the client does not know if the server resource is protected by
basic or digest authentication scheme, it needs to wait for the
server's 401 before sending the appropriate Auth header in the
request.

Here is the request/response sequence for this problem (using a small
file in this example to illustrate the problem. In a real world
scenario this is a serious issue for large files.) ...


Using Apache 2.2.6
-----------------------------

>>> to server
PUT /secret/test.html HTTP/1.1
Host: 10.10.10.1:8080
Expect: 100-continue
Date: Mon, 15 Oct 2007 20:05:24 GMT
Connection: Keep-Alive
Content-Length: 49
Content-Type: application/octet-stream


<<< from server
HTTP/1.1 100 Continue

>>>Sending entire file the first time ...
>>> to server (in real life this would be a very large file)
<html><body><h1>Secret works!</h1></body></html>

<<<from server
HTTP/1.1 401 Authorization Required
Date: Mon, 15 Oct 2007 20:05:24 GMT
Server: Apache/2.2.6 (Unix)
WWW-Authenticate: Basic realm="secret_access"
Content-Length: 401
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
etc...

>>>to server
PUT /secret/test.html HTTP/1.1
Host: 10.10.10.1:8080
Authorization: Basic dGVzdDp0ZXN0
Date: Mon, 15 Oct 2007 20:05:24 GMT
Connection: Keep-Alive
Content-Length: 49
Content-Type: application/octet-stream

>>>Sending entire file for the second time ...
>>> to server
<html><body><h1>Secret works!</h1></body></html>

<<<from server
HTTP/1.1 204
etc...


Using Apache 1.3.33
-----------------------------
>>> to server
PUT /secret/test.html HTTP/1.1
Host: 10.10.10.1:8888
Expect: 100-continue
Date: Mon, 15 Oct 2007 22:22:24 GMT
Connection: Keep-Alive
Content-Length: 49
Content-Type: application/octet-stream

<<<from server
HTTP/1.1 401 Authorization Required
Date: Mon, 15 Oct 2007 22:22:24 GMT
Server: Apache/1.3.33 (Unix)
WWW-Authenticate: Basic realm="secret_access"
Content-Length: 401
Connection: close
etc...

>>>to server
PUT /secret/test.html HTTP/1.1
Host: 10.10.10.1:8080
Authorization: Basic dGVzdDp0ZXN0
Date: Mon, 15 Oct 2007 22:22:24 GMT
Connection: Keep-Alive
Content-Length: 49
Content-Type: application/octet-stream

<html><body><h1>Secret works!</h1></body></html>

<<<from server
HTTP/1.1 204
etc...

My test apache setup...
OS - Solaris 2.8.
configure options - enable-auth-digest (I did not use digest
authentication for my test above.)

I have a simple put.cgi handling the put request.
I have a .htaccess file in the htdocs/secret dir and using a password
file generated using htpasswd.

Thanks
Ragini

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message