xml-rpc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Rall <...@finemaltcoding.com>
Subject Re: patch to correct improper handling of HTTP Basic authentication
Date Fri, 23 Aug 2002 22:14:10 GMT
Adam Megacz <adam@megacz.com> writes:

> Daniel Rall <dlr@finemaltcoding.com> writes:
> > My intention was to leave the authentication step up to the handler,
> > an approach which gives more freedom to the author.  However, if HTTP
> > demands a user name for Basic auth ('scuse my ignorance), we should
> > not only do as you suggest but also throw an AuthenticationFailed
> > exception if the empty string is used.  Does this sound okay?
> 
> That sounds fine.
> 
> The key concept here is that HTTP simply does not support the notion
> of "optional authentication".

HTTP does not support the notation of optional auth, but a XML-RPC
handler might (say, based on some configuration parameter).  Sorry if
I'm being dense here, but how does having the handler take care of the
authentication prevent proper HTTP basic auth?  If it does not, were
you trying to keep AuthenticatedXmlRpcHandler authors from shooting
themselves in the foot?

> A resource is either authenticated or not, and the process of
> authenticating to a resource involves first deliberately sending a
> failed attempt (which is how you get stuff like the realm, authtype,
> and digest nonce) before you send an authenticated attempt.

Right.
-- 

Daniel Rall <dlr@finemaltcoding.com>

Mime
View raw message