You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/01/04 01:25:32 UTC

DO NOT REPLY [Bug 38114] New: - Authorization header ignored -- it should be handled always

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38114>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38114

           Summary: Authorization header ignored -- it should be handled
                    always
           Product: Apache httpd-2
           Version: 2.0.49
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_auth
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: lisa@osafoundation.org
                CC: gstein@lyra.org,julian.reschke@gmx.de


We're trying to understand how HTTP and WebDAV clients can pre-emptively
authenticate.  I note in looking for duplicate bugs on this topic that there's
already been some work on getting HTTP-client to be able to pre-emptively
authenticate (http://issues.apache.org/bugzilla/show_bug.cgi?id=10532).  But we
seem to have found a case where this doesn't work -- perhaps it's because the
resource we queried doesn't require authentication in order to download.  

Here's the telnet session of Julian Reschke testing this:

Trying 66.96.29.211...
Connected to www.webdav.org.
Escape character is '^]'.
GET /bind/ HTTP/1.1
Host: www.webdav.org
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==


HTTP/1.1 200 OK
Date: Sat, 31 Dec 2005 11:11:56 GMT
Server: Apache/2.0.49 (Fedora)
Last-Modified: Mon, 18 Jul 2005 13:44:03 GMT
ETag: "46d0c1-5df6-cae68ec0"
Accept-Ranges: bytes
Content-Length: 24054
Content-Type: text/html; charset=UTF-8

<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

... rest of response truncated ...

---

What we expected to happen, rather than a 200 OK, would be a 401 Unauthenticated
with an authentication challenge.  Once the client gets the authentication
challenge with the domain, it can maybe do a successful authentication.

My understanding of why it should happen that way is based on RFC2617
(http://rfc.net/rfc2617.html#s1.2):

   "If the origin server does not wish to accept the credentials sent
   with a request, it SHOULD return a 401 (Unauthorized) response. The
   response MUST include a WWW-Authenticate header field containing at
   least one (possibly new) challenge applicable to the requested
   resource."

In this case webdav.org is the origin server, and we believe it did not accept
the credentials.  Those credentials (copied from the example in RFC2617) should
map to the userid "Aladdin" and password "open sesame" which we didn't expect
ought to work :)

Is there something we're not aware of here or some reason why the server ignores
the SHOULD in RFC2617?  -- thanks

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 38114] - Authorization header ignored -- it should be handled always

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38114>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38114


jorton@redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From jorton@redhat.com  2006-01-04 17:13 -------
Yes, the header is ignored if there is no authz requirement configured for the
resource.  I don't think that violates the 2617 SHOULD; the server *does* accept
the credentials and just ignores them, it has no reason to reject them.

(Indeed, the client may very legitimately be sending the Auth header for this
resource because e.g. it has just moved out of an auth-protected domain
somewhere else in this URI space.)

There is no 401 response that could be sent anyway; there is no realm
configured, no scheme chosen, etc, so what 401 would you expect exactly anyway?  

I'd say that the idea of pre-emptively authenticating yourself in a
challenge/response authentication mechanism such as HTTP's, is, um, challenging
:)  But we can discuss this on the HTTP WG list or somewhere rather than httpd
bugzilla.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org