I have had further from Adam Megacz <[EMAIL PROTECTED]> the author of XWT on this issue.
I believe I should raise a collector issue on this, however do people believe this is a correct assessment of the situation. ====================================================================== Tim Hoffman <[EMAIL PROTECTED]> writes: > The xmlrpc spec doesn't say anything about authentication. > ... > I suppose this whole area is pretty vague. Actually, it references the HTTP spec, which is quite clear about requiring a 401. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 Without the 401, you don't know the authentication realm, authentication type, or digest nonce -- three things you need to know in order to authenticate (although the last one is only needed for Digest auth, not Basic Auth). Unfortunately, it seems that a lot of XML-RPC libraries are broken in this manner. I'm working with the Apache people right now on fixing the Java libraries -- could you please work with the Python people to get this fixed? I think this is a result of the fact that HTTP Auth isn't used very often in XML-RPC, although it should be. I'm working on an RFC for XML-RPC, and I will certainly include some wording which underscores the importance of the 401 response. http://www.xwt.org/xmc/draft-megacz-xmc-05.txt - a -- Sick of HTML user interfaces? www.xwt.org ========================================================================= On Thu, 2002-08-15 at 10:47, Tim Hoffman wrote: > Hi > > I am working on a project that uses XWT (xwt.org) as a frontend to Zope. > > XWT uses XMLRPC to communicate with a backend (in this case Zope). > > XWT expects an Error 401 is authentication is required on an XMLRPC > call, so that it can negotiate the correct auth method > > The author of XWT sent the following email to me > > >Tim, I've got a piece of the answer -- your server needs to return an > >HTTP 401 (Unauthorized) if no username/password is provided. This > >response includes the challenge that XWT needs in order to build an > >authentication request (realm, digest nonce challenge, etc). > > However what Zope is doing is sending back a <fault> in the > XMLRPC <methodResponse> packet. > > So it appears to me that Zope doesn't send a http response 401 for > XMLRPC (over http), but will send a 401 back to the browser. > > XMLRPC doesn't say anything about authentication, so I suppose either > method is acceptable. However because XMLRPC is implemented > on top of http, I would have thought a http approach (ie error 401) > would be used. > > It appears that this behaviour is fundamental to Zope and is not an > artifact of cookie auth in CMF etc.. > > Is this really correct behaviour ? > > Regards > > Tim Hoffman > > > > > > _______________________________________________ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
