Santy, Michael wrote: > > XXE properly prompts a user for authentication when trying to load an > XML file over HTTP protected with Basic authentication, but if a user > incorrectly enters their credentials, XXE gives an error message and > does not prompt the user to re-enter their credentials. I think it > makes sense to re-prompt the user for their credentials as web browser > currently do. Would it be possible to get this feature added? >
This problem is not easy to fix because it is not XXE which prompts a user for authentication when trying to load an XML file over HTTP protected with Basic authentication, it is the Java runtime which does that (without giving XXE much information about the current context). XXE just provides the password dialog box. We have added a workaround for the problem you described based on a heuristic. We hope that this workaround 1) will work in the real world, 2) will not cause more problems than the one it solves.
