[JIRA] [core] (JENKINS-6610) RSS Feeds Ought to Accept Credentials

[dan...@beckweb.net (JIRA)]

Daniel Beck edited a comment on JENKINS-6610 RSS Feeds Ought to Accept Credentials I investigated this a bit. The problem is that Jenkins sends the HTTP 403 header (Forbidden) when on the UI it shows a login form. Forbidden signals to the client that it's out of luck. So Basic auth only works when sent preemptively, without waiting for HTTP 401 asking for password. Changing the response to HTTP 401 alone doesn't change anything. It requires sending a WWW-Authenticate header for it to work. When that is added, the RSS client (Vienna for OS X in my case) suddenly starts working. Unfortunately, then web browsers display the regular basic login form in addition to the login form, which isn't desirable. Possible options (besides adding preemptive auth to RSS clients) include: Distinguish response by whether it would be RSS? Not possible reliably Browser sniffing, send WWW-Authenticate if it's not a known web browser (or if it's a known RSS reader)? Not possible reliably Make RSS feeds reachable via UnprotectedRootAction that implements its own authentication and can send WWW-Authenticate without breaking interactive clients, a bit like Build Token Root Plugin allows unauthenticated clients to build when the remote trigger token is known. But how to determine which is the RSS URL called that way? Add something to requests that should result in HTTP 401 + WWW-Authenticate. A parameter ?basic comes to mind, but that's not a great solution.

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.