xml-rpc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Rall <...@finemaltcoding.com>
Subject Re: patch to correct improper handling of HTTP Basic authentication
Date Fri, 23 Aug 2002 20:16:00 GMT
Adam Megacz <adam@megacz.com> writes:

> Daniel Rall <dlr@finemaltcoding.com> writes:
> > Adam, this is mostly in there now.  I heavily modified your patch.
> > Please take a look when you have time and let us know what you think.
> 
> Yeah, I took a look at it. You should throw an AuthenticationFailed
> excption in XmlRpc.java as soon as it is determined that (user==null
> && handler instanceof AuthenticatedXmlRpcHandler).
> 
> As your code is written right now, it is a violation of HTTP for an
> AuthenticatedXmlRpcHandler to do anything other than throw an
> AuthenticationFailedException if user==null.  By not automatically
> throwing the exception, the new structure encourages people to write
> broken code.

Hi Adam.

My intention was to leave the authentication step up to the handler,
an approach which gives more freedom to the author.  However, if HTTP
demands a user name for Basic auth ('scuse my ignorance), we should
not only do as you suggest but also throw an AuthenticationFailed
exception if the empty string is used.  Does this sound okay?
-- 

Daniel Rall <dlr@finemaltcoding.com>

Mime
View raw message