xml-rpc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Megacz <a...@megacz.com>
Subject Re: patch to correct improper handling of HTTP Basic authentication
Date Fri, 23 Aug 2002 20:30:34 GMT

Daniel Rall <dlr@finemaltcoding.com> writes:
> My intention was to leave the authentication step up to the handler,
> an approach which gives more freedom to the author.  However, if HTTP
> demands a user name for Basic auth ('scuse my ignorance), we should
> not only do as you suggest but also throw an AuthenticationFailed
> exception if the empty string is used.  Does this sound okay?

That sounds fine.

The key concept here is that HTTP simply does not support the notion
of "optional authentication".

A resource is either authenticated or not, and the process of
authenticating to a resource involves first deliberately sending a
failed attempt (which is how you get stuff like the realm, authtype,
and digest nonce) before you send an authenticated attempt.


  - a

"Cassette tapes are killing the music industry"
                             -- RIAA spokesperson, 1978

View raw message