xml-rpc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Megacz <a...@megacz.com>
Subject Re: patch to correct improper handling of HTTP Basic authentication
Date Sun, 25 Aug 2002 02:01:05 GMT

Daniel Rall <dlr@finemaltcoding.com> writes:
> > The key concept here is that HTTP simply does not support the notion
> > of "optional authentication".

> HTTP does not support the notation of optional auth, but a XML-RPC
> handler might (say, based on some configuration parameter).

Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
support optional authentication without violating the HTTP spec.  If
the username and password are XML-RPC values, then you can do whatever
you like.

> If it does not, were you trying to keep AuthenticatedXmlRpcHandler
> authors from shooting themselves in the foot?

Exactly.  If the handler uses authentication, and user==null,
returning a 401 is the *only* valid response.  This is something most
people aren't aware of, and are extremely likely to screw up.

  - a

"Cassette tapes are killing the music industry"
                             -- RIAA spokesperson, 1978

View raw message