DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43711>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43711 Summary: 100-continue response when 401 expected Product: Apache httpd-2 Version: 2.2.6 Platform: Sun OS/Version: Solaris Status: NEW Keywords: RFC Severity: regression Priority: P2 Component: Core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] General comments - ---------------- This bug is reproducible. I have marked it a regression because to works fine in Apache 1.3 but not in Apache 2. Here is the link to the email exchange on [EMAIL PROTECTED] on this issue. http://www.gossamer-threads.com/lists/apache/users/340314#340314. Overview Description: --------------------- For PUT requests with a Expect: 100-continue header, Apache 2.2.6 server sends a HTTP/1.1 100 Continue response before checking to see if a 401 or 405 response might need to be sent for the request. When the resource requires authentication, Apache 2.6 sends a 100 Continue instead of a 401. After the client sends the request body, Apache 2.2.6 returns a 401 and now the client ends up having to send the request body again. For large request body sending the entire body multiple times defeats the purpose of the continue response stated in the HTTP 1.1 RFC - http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.2.3 When a resource does *not* require authentication Apache 2.2.6 and Apache 1.3 both send a 100 Continue as expected and there are no issues there. Steps to Reproduce: --------------------- 1-5 are to setup Apache for this test. 1. Create a directory named "secret" under htdocs. 2. Create a passwords file with user "test" and a passwd. 3. Create a .htaccess file in the secret directory My .htaccess had - AuthType Basic AuthName "secret_access" AuthBasicProvider file AuthUserFile /opt/apache226/htdocs/.passwd Require user test 4. Enable PUT method support by adding "Script PUT /cgi-bin/put.cgi" to the httpd.conf. 5. I used the put script available at - http://www.apacheweek.com/issues/put1 for this test and copied it to the cgi-bin dir. 6. Send the following PUT request to the Apache 2 server. PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8080 Expect: 100-continue Date: Mon, 15 Oct 2007 20:05:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream Actual Results : ----------------- HTTP/1.1 100 Continue Expected Results: ------------------ HTTP/1.1 401 Authorization Required Date: Mon, 15 Oct 2007 20:05:24 GMT Server: Apache/2.2.6 (Unix) WWW-Authenticate: Basic realm="secret_access" Content-Length: 401 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive With Apache 1.3 the complete exchange was as follows - PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8888 Expect: 100-continue Date: Mon, 15 Oct 2007 22:22:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream HTTP/1.1 401 Authorization Required Date: Mon, 15 Oct 2007 22:22:24 GMT Server: Apache/1.3.33 (Unix) WWW-Authenticate: Basic realm="secret_access" Content-Length: 401 Connection: close etc... PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8080 Authorization: Basic dGVzdDp0ZXN0 Date: Mon, 15 Oct 2007 22:22:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream <html><body><h1>Secret works!</h1></body></html> HTTP/1.1 204 -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
