HTTPCredentials not according to HTTP spec

Please post support and help requests here.
Posts: 3
Joined: 24 Jun 2014, 04:07

HTTPCredentials not according to HTTP spec

Postby JoeF » 24 Jun 2014, 04:33


It seems as if HTTPCredentials only supports one scheme and authinfo.
However, the HTTP spec RFC 2616 allows multiple WWW-authenticate headers and/or multiple challenges.
"14.47 WWW-Authenticate

The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at
least one challenge that indicates the authentication scheme(s) and
parameters applicable to the Request-URI.

WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge

The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [43]. User
agents are advised to take special care in parsing the WWW-
Authenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of
authentication parameters."

Only looking at the first WWW-Authenticate header would cause Poco to fail when a server, e.g., on a Microsoft OS, sends one of its proprietary schemes (e.g., NTLM) as first entry and Basic or Digest scheme as additional challenges.

Posts: 1375
Joined: 11 Jul 2006, 16:27
Location: United_States

Re: HTTPCredentials not according to HTTP spec

Postby alex » 26 Jun 2014, 01:53

GitHub issue #478

Return to “Support”

Who is online

Users browsing this forum: No registered users and 4 guests