perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoffrey Young <>
Subject Re: cvs commit: modperl-2.0/t/hooks/TestHooks
Date Mon, 09 Aug 2004 18:49:52 GMT wrote:
> stas        2004/08/08 10:56:53
>   Added:       t/hooks  authen_digest.t
>                t/hooks/TestHooks
>   Log:
>   digest auth test

cool!  I love that people are becoming as interested in Digest auth as I am :)

the only comment that I would make is that these tests aren't really testing
the right thing.

the only apache API we have access to is $r->note_digest_auth_failure, which
has the job of setting a proper WWW-Authenticate header.  the current tests
only really test this by accident, relying on LWP's Digest implementation to
 handle the header appropriately.

so, really what I would do is manually check for the 401, which would
indicate that Apache::HTTP_UNAUTHORIZED was returned, and check for
WWW-Authenticate (and its properties), which would indicate that
$r->note_digest_auth_failure was called (and given the proper fields, like
the Realm).

all the rest of the server side code is really unnecessary as well - you
could easily use $r->args to toggle whether $r->note_digest_auth_failure is
called.  not that there is anything wrong with coding the server-side auth
foo yourself, but what happens now is that someone who uses the tests as an
example doesn't see that a) there is are CPAN modules to do this and b) that
the implementation is imperfect, since it only handles the old digest auth
scheme and not the newer one (where stuff like qop is important).

so, there's nothing wrong with the tests per-se, but it seems to me to be
lots of unnecessary work that is (perhaps) not even really testing the right


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message