Hey, list
I'm performing authentication in a WSGI middleware, and I'm trying to
implement Kerberos (SPNEGO/GSSAPI) authentication. If authentication
fails, I need to respond with authentication headers indicating both
Negotiate and Basic authentication schemes. Firefox and Chromium both
expect two separate WWW-Authenticate headers, but modwsgi (or Apache?)
merges multiple headers into a single comma-separated header value. It
would seem to me that this is HTTP conforming behaviour by modwsgi/
apache, but in light of the situation with Firefox and Chromium, would
it be possible to somehow disable this?
How to reproduce:
- Write a WSGI script that responds with headers including [('WWW-
Authenticate', 'Negotiate'), ('WWW-Authenticate', 'Basic
realm="Internal Area"')]
- run the WSGI script using Apache and modwsgi (WSGIPassAuthorization
On may be necessary?)
- execute curl --include https://your-server.com/app (or an
equivalent way of inspecting the exact headers. Firebug and chromium's
inspect element do not always show them properly)
Expected: Two WWW-Authenticate headers
Got: A single WWW-Authenticate headers with all values combined and
separated with commas, i.e. something like:
WWW-Authenticate: Negotiate, Basic realm="Internal Area"
Any ideas on how I can get two authenticate headers working?
Thanks,
Mark
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
