(Sorry for my last message, I click "Send" before I wrote anything on it!)

Maurizio Lotauro wrote:
> Are you sure? I quickly reread the rfc and it say that more that one 
> challange 
> could be specified in the header, but a challenge is defined as
>   challenge = auth-scheme 1*SP 1#auth-param

Yes, I am sure.  It says that the "auth-scheme" token must be at least 
one valid authentication mechanism, and specifies that they should be 
listed in the order of preference.

> So the question is if the Basic must be specified after tha last parameter of 
> Digest.

In that case, it means that Digest is supported, and preferred over 
Basic, but that Basic will be allowed if the client does not support Digest.

> In any case the realm is defined as quoted-string but in the above header is 
> written without quote.

In my example, it was (realm="foo").  It refers to the value of the 
realm, which must be a quoted-string, not the parameter name itself.

> As side note, the THttpCli doesn't expect more than one challenge per header. 
> How often is used from servers to specify more that one challenge per header?

I don't think it is very often.  I mean, for example, if you require 
Digest, why would you allow Basic?  And more often than not, clients 
merely support Basic and nothing else, except in proprietary 
environments, in which case, you then specify the *only* mechanism that 
you will support.

But still, it is specified in the RFC, and even emphasized on a side 
note as a caveat, so I believe it should be implemented, just to be 
fully compliant.  Eventually. :)


To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to