Maurizio Lotauro wrote:
> Scrive DZ-Jay <[EMAIL PROTECTED]>:
> 
>> Fastream Technologies wrote:
>>> Hello,
>>>
>>> Thank you both for your replies. I found the problem myself: IE6 has a bug
>>> that makes it expect a comma before Realm="...".
>> That's really weird.  Does adding the comma break it on Firefox or 
>> Opera?  The RFC does not specify that a comma is required, only 
>> whitespace, and that [param]=[value] is what denotes a parameter.
> 
> Comma is used to separate each [param]=[value] pair.


RFC2617 says that the authentication parameters is a comma-separated 
list -- that is if there are more than one parameter, they are separated 
by comma.  In this case, Realm is only *one* parameter.  The comma after 
  the authentication method token is (or should be) invalid:


"1.2 Access Authentication Framework
[...]
HTTP provides a simple challenge-response authentication mechanism that 
MAY be used by a server to challenge a client request and by a client to 
provide authentication information. It uses an extensible, 
case-insensitive token to identify the authentication scheme, followed 
by a comma-separated list of attribute-value pairs which carry the 
parameters necessary for achieving authentication via that scheme."


Furthermore, it adds the following warning, acknowledging that more than 
one authentication token will complicate parsing:


"Note: User agents will need to take special care in parsing the WWW- 
Authenticate or Proxy-Authenticate header field value if it contains 
more than one challenge, or if more than one WWW-Authenticate header 
field is provided, since the contents of a challenge may itself contain 
a comma-separated list of authentication parameters."

And lastly, here's an example provided in section 3.5:

"3.5 Example

        HTTP/1.1 401 Unauthorized
        WWW-Authenticate: Digest
                 realm="[EMAIL PROTECTED]",
                 qop="auth,auth-int",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"
"

As you can see, "realm", "qop", "nonce", and "opaque" are separated by 
commas, since they are part of the parameter list; but there is no comma 
between Digest and this list, since the parameter list qualifies as a 
semantic token and the authentication tokens are whitespace delimited.

Conclusion:  I believe that IE has a bug that does not comply with 
RFC2617 -- perhaps this is originally an IIS bug of serving the headers 
wrongly; but the browser is so popular that the broken authentication 
mechanism is reproduced by most other servers and clients in order to be 
compatible.

        dZ.


-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to