Santy, Michael wrote: > > Does the heuristic you use include the URL path?
Access to the URL path for which the user credentials are required are part of the Java[tm] API 1.5+. XXE is compiled against the Java API 1.4. > If your heuristic only > checks the host/port/prompt/scheme and not the requested path, you will > unnecessarily throw away credentials and therefore re-prompt the user > when loading an XML file with 10 images, assuming that they are all on > the same host/port/prompt/scheme. > This is not needed. The Java authenticator, which is supposed to prompt the user, is invoked by the Java runtime only when this is needed. Suppose that the implementation of Authenticator is invoked each time a protected file is to be downloaded, this would mean that the implementation of Authenticator has to cache previously specified credentials. How could it do that when the API of the *Authenticator* does not allow to check whether these credentials have been accepted or rejected? I've tested this and moreover I've read the source code of Sun to make sure that the Java runtime indeed caches the credentials. You'll be able to check this by yourself because I'll tell you this morning where to download final beta of XXE v3.6.2. Note that I would nevertheless prefer to remove the heuristic I've added to workaround the problem you have described because: [1] It is not conceptually clean. [2] It is not 100% safe because it is based on an undocumented, though dictated by common sense, behavior of the Java runtime.
