cvs commit: xml-rpc/src/java/org/apache/xmlrpc XmlRpcWorker.java

Fri, 27 Sep 2002 09:54:39 -0700 

dlr         2002/09/27 10:20:06

  Modified:    src/java/org/apache/xmlrpc XmlRpcWorker.java
  Log:
  As determined on dev list discussion with Adam Megacz, throw an
  AuthenticationFailed exception in XmlRpcWorker's invokeHandler() if
  HTTP authentication is not provided for an AuthenticatedXmlRpcHandler.
  
  Daniel Rall <[EMAIL PROTECTED]> writes:
  > > The key concept here is that HTTP simply does not support the
  notion
  > > of "optional authentication".
  
  > HTTP does not support the notation of optional auth, but a XML-RPC
  > handler might (say, based on some configuration parameter).
  
  Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
  support optional authentication without violating the HTTP spec.  If
  the username and password are XML-RPC values, then you can do whatever
  you like.
  
  > If it does not, were you trying to keep AuthenticatedXmlRpcHandler
  > authors from shooting themselves in the foot?
  
  Exactly.  If the handler uses authentication, and user==null,
  returning a 401 is the *only* valid response.  This is something most
  people aren't aware of, and are extremely likely to screw up.
  
  Revision  Changes    Path
  1.3       +11 -0     xml-rpc/src/java/org/apache/xmlrpc/XmlRpcWorker.java
  
  Index: XmlRpcWorker.java
  ===================================================================
  RCS file: /home/cvs/xml-rpc/src/java/org/apache/xmlrpc/XmlRpcWorker.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -u -r1.2 -r1.3
  --- XmlRpcWorker.java 26 Aug 2002 20:20:44 -0000      1.2
  +++ XmlRpcWorker.java 27 Sep 2002 17:20:06 -0000      1.3
  @@ -119,6 +119,17 @@
               }
               else if (handler instanceof AuthenticatedXmlRpcHandler)
               {
  +                // If HTTP authentication is in use, XML-RPC must
  +                // return a 401 HTTP status code when no user name is
  +                // supplied.  This provides authentication meta data
  +                // and tells clients to provide authentication on
  +                // subsequent requests.
  +                String userName = request.getUserName();
  +                if (userName == null || userName.length() == 0)
  +                {
  +                    throw new AuthenticationFailed
  +                        ("No user name provided for HTTP authentication");
  +                }
                   return ((AuthenticatedXmlRpcHandler) handler)
                       .execute(request.getMethodName(), request.getParameters(),
                                request.getUserName(), request.getPassword());

Reply via email to