On Sat, 2005-11-19 at 15:44 +0000, sebb wrote:
> On 19/11/05, Oleg Kalnichevski <[EMAIL PROTECTED]> wrote:
> > Hello Karl,
> >
> > Here's the relevant differences between HTTP requests generated using
> > 3.0rc3 and 3.0rc4 [1]. The only significant variation I can spot is that
> > qop and nc attributes generated by rc4 are not enclosed in quotes. This
> > change has been introduced in 3.0rc4 per bug report 36372 [2], which was
> > perfectly valid in my opinion. See the original original discussion here
>
> Bug report 36372 only refers to nc, surely, not qop?
>
> > [3]. What is actually really fishy here is that the digest challenge
>
> Note that qop is quoted.
>
Hi Sebastian,
This is how I read the spec [1]
The qop attribute of the digest challenge must be enclosed in quotes
because it can have multiple comma separated values
<quote>
challenge = "Digest" digest-challenge
...
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token
</quote>
Whereas the qop attribute of the digest response implies only one value
and therefore it does not have to be enclosed in quotes unless it
contains any special characters such as blanks or commas
<quote>
credentials = "Digest" digest-response
...
message-qop = "qop" "=" qop-value
</quote>
So, to me this is clearly a compliance issue with IIS (or whatever it
is) server. I personally do not mind making DigestScheme more lenient
provided it does not involve dragging in too much of IIS specific hacks.
After all, one can simply implement a custom auth scheme and plug it
into the HttpClient auth framework
Cheers,
Oleg
[1] http://www.faqs.org/rfcs/rfc2617.html
> > sent by the server does not look like those usually generated by IIS
> > [4]. Even though the server identifies itself as IIS 6.0 it is likely to
> > be something else. So, overall this appears like a server side problem
>
> Are you sure it's not as per [4]?
>
> > to me. To test this assumption consider tweaking the source code here
> > [5], recompile HttpClient and see if that makes any difference
> >
> > Hope this helps
> >
> > Oleg
> >
> > [1]
> > 2c2
> > < header >> "User-Agent: Jakarta Commons-HttpClient/3.0-rc3[\r][\n]"
> > ---
> > > header >> "User-Agent: Jakarta Commons-HttpClient/3.0-rc4[\r][\n]"
> > 23c23
> > < header << "Date: Sat, 19 Nov 2005 10:13:17 GMT[\r][\n]"
> > ---
> > > header << "Date: Sat, 19 Nov 2005 10:13:41 GMT[\r][\n]"
> > 27c27
> > < header << "WWW-Authenticate: Digest qop="auth", realm="MapPoint",
> > nonce="058ce1c31bf6f30f7915932311001c0969ae245318c3a877671ae55744a3"[\r][\n]"
> > ---
> > > header << "WWW-Authenticate: Digest qop="auth", realm="MapPoint",
> > nonce="4da02d5cf00457a7122593231100904c92c9d9832c796c2a81bf3b8638ec"[\r][\n]"
> > 30c30
> > < header >> "User-Agent: Jakarta Commons-HttpClient/3.0-rc3[\r][\n]"
> > ---
> > > header >> "User-Agent: Jakarta Commons-HttpClient/3.0-rc4[\r][\n]"
> > 40c40
> > < header >> "Authorization: Digest username="107768", realm="MapPoint",
> > nonce="058ce1c31bf6f30f7915932311001c0969ae245318c3a877671ae55744a3",
> > uri="/Find-30/FindService.asmx",
> > response="a900983ea4ed8aa867ff97968c474b17", qop="auth", nc="00000001",
> > cnonce="e67d91e647da701da45ae7f100a61341"[\r][\n]"
> > ---
> > > header >> "Authorization: Digest username="107768", realm="MapPoint",
> > nonce="4da02d5cf00457a7122593231100904c92c9d9832c796c2a81bf3b8638ec",
> > uri="/Find-30/FindService.asmx",
> > response="5e2070488ae46efa833147acfa0f09a8", qop=auth, nc=00000001,
> > cnonce="f91a562bc4cd724171b8f50545cbb8a4"[\r][\n]"
> > 50,51c50,52
> > < header << "HTTP/1.1 200 OK[\r][\n]"
> > < header << "Date: Sat, 19 Nov 2005 10:13:18 GMT[\r][\n]"
> > ---
> > > header << "HTTP/1.1 401 Unauthorized[\r][\n]"
> > > header << "Connection: close[\r][\n]"
> > > header << "Date: Sat, 19 Nov 2005 10:13:42 GMT[\r][\n]"
> > 55,60c56,57
> >
> > [2] http://issues.apache.org/bugzilla/show_bug.cgi?id=36372
> >
> > [3]
> > http://www.mail-archive.com/[email protected]/msg01176.html
> >
> > [4]
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/717b450c-f4a0-4cc9-86f4-cc0633aae5f9.mspx
>
> This seems to say that qop = "auth" | "auth-int" | "auth-conf".
>
> Also, rfc2617 says that the qop response should be chosen from one of
> the alternatives present in the WWW-Authenticate header - in which qop
> is quoted.
>
> So perhaps the problem is that both qop and nc have been "dequoted" -
> whereas as far as I can see qop should remain a quoted string
>
> If qop quoting _can_ vary, then the quoting strategy could perhaps be
> taken from the WWW-Authenticate header?
>
> Might be worth trying just quoting qop and seeing if this solves the
> problem...
>
> HTH.
>
> S.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
