Maurizio Lotauro wrote:
> Scrive DZ-Jay <[EMAIL PROTECTED]>:
>
>> Fastream Technologies wrote:
>>> Hello,
>>>
>>> Thank you both for your replies. I found the problem myself: IE6 has a bug
>>> that makes it expect a comma before Realm="...".
>> That's really weird. Does adding the comma break it on Firefox or
>> Opera? The RFC does not specify that a comma is required, only
>> whitespace, and that [param]=[value] is what denotes a parameter.
>
> Comma is used to separate each [param]=[value] pair.
RFC2617 says that the authentication parameters is a comma-separated
list -- that is if there are more than one parameter, they are separated
by comma. In this case, Realm is only *one* parameter. The comma after
the authentication method token is (or should be) invalid:
"1.2 Access Authentication Framework
[...]
HTTP provides a simple challenge-response authentication mechanism that
MAY be used by a server to challenge a client request and by a client to
provide authentication information. It uses an extensible,
case-insensitive token to identify the authentication scheme, followed
by a comma-separated list of attribute-value pairs which carry the
parameters necessary for achieving authentication via that scheme."
Furthermore, it adds the following warning, acknowledging that more than
one authentication token will complicate parsing:
"Note: User agents will need to take special care in parsing the WWW-
Authenticate or Proxy-Authenticate header field value if it contains
more than one challenge, or if more than one WWW-Authenticate header
field is provided, since the contents of a challenge may itself contain
a comma-separated list of authentication parameters."
And lastly, here's an example provided in section 3.5:
"3.5 Example
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="[EMAIL PROTECTED]",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
"
As you can see, "realm", "qop", "nonce", and "opaque" are separated by
commas, since they are part of the parameter list; but there is no comma
between Digest and this list, since the parameter list qualifies as a
semantic token and the authentication tokens are whitespace delimited.
Conclusion: I believe that IE has a bug that does not comply with
RFC2617 -- perhaps this is originally an IIS bug of serving the headers
wrongly; but the browser is so popular that the broken authentication
mechanism is reproduced by most other servers and clients in order to be
compatible.
dZ.
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
