DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18355>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18355 HttpState cannot differentiate credentials for different hosts with same Realm names ------- Additional Comments From [EMAIL PROTECTED] 2003-04-01 16:04 ------- Adrian I think it is a good start. At the moment I have two comments to throw at you: 1.) Since there's no way around adding an extra parameter for the HttpAuthenticator#authenticate method, why not passing a reference to HttpConnection instead of just a String that represents a host name? public static boolean HttpAuthenticator#authenticate( AuthScheme authscheme, HttpMethod method, HttpConnection conn, HttpState state) We might need additional stuff (for instance, we might need 'virtual' host name in the future) that can be obtained from HttpConnection 2.) Lower-cased concatenated host name and realm are inadequate as a realm map key for the reason pointed out by Chris Brown. RFC 2617 does not impose any format for the authentication realm. It's just a quoted string that may contain any sequence of characters. There's no way to differentiate credentials for the "admin.apache.org" host and "admin.apache.org" realm under existing mapping scheme, with would leave HttpClient open to exploits. The solution to this problem is to use a dedicated class as a mapping key rather than just a string. I already whipped up a simple class called HttpAuthRealm that can cover this role. You'll find it attached to this bug report. It is still quite raw, so proceed with caution Otherwise, the patch looks good Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
