Maurizio Lotauro wrote:
>> Digest authentication requires at least one server challenge per
>> protection space (realm). This is similar to basic authentication
>> which may use a realm as challenge (currently not supported by basic
>> in both THttpCli and THttpServer).
> The last sentence is not clear to me, can you explain?

This was not quite correct since the THttpServer actually allows to
specify a realm with basic authentication as well. However it is 
not easy in the THttpCli to obtain this value unless you parse the
AuthorizationRequest list. Both Basic and Digest server responses
include a realm:

RFC 2617:
" 2 Basic Authentication Scheme

   The "basic" authentication scheme is based on the model that the
   client must authenticate itself with a user-ID and a password for
   each realm.  The realm value should be considered an opaque string
   which can only be compared for equality with other realms on that
   server. The server will service the request only if it can validate
   the user-ID and password for the protection space of the Request-URI.
   There are no optional authentication parameters. "

Also, both do not require a persistant connection and both require
just a _single server challenge, that's the similarity I meant. 

>> Any thoughts and suggestions?
> I already made a similar change. I have a modified version of
> THttpCli where I changed how the authentication is handled, so it is
> very easy to add a new one, and without touching the THttpCli class.
> As support I added an event so the authentication can be handled by
> the application or by an inherited class. 
> In fact I have a derived class that ask for user and password and
> cache these information so it will not ask again.

Something like that is required, also because current authentication 
code in the THttpCli is a complicated nightmare, error-prone and
contains plenty of duplicated code. 

> All this is at least three year old and I think it can be considered
> stable. If you want I can send it to you. But keep in mind that after
> our recent discussion about the authentication problem with Tomcat I
> planned to revise it to avoid the double request.

Yes, please send it as PM.

Arno Garrels [TeamICS]


To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to