You are viewing a plain text version of this content. The canonical link for it is here.

Posted to rpc-dev@xml.apache.org by Daniel Rall <dl...@finemaltcoding.com> on 2002/09/27 19:20:41 UTC

Re: patch to correct improper handling of HTTP Basic authentication

Adam Megacz <ad...@megacz.com> writes:

> Daniel Rall <dl...@finemaltcoding.com> writes:
> > > The key concept here is that HTTP simply does not support the notion
> > > of "optional authentication".
> 
> > HTTP does not support the notation of optional auth, but a XML-RPC
> > handler might (say, based on some configuration parameter).
> 
> Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
> support optional authentication without violating the HTTP spec.  If
> the username and password are XML-RPC values, then you can do whatever
> you like.
> 
> 
> > If it does not, were you trying to keep AuthenticatedXmlRpcHandler
> > authors from shooting themselves in the foot?
> 
> Exactly.  If the handler uses authentication, and user==null,
> returning a 401 is the *only* valid response.  This is something most
> people aren't aware of, and are extremely likely to screw up.

Done, let me know if it matches up with how you were seeing it.
-- 

Daniel Rall <dl...@finemaltcoding.com>