You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rpc-dev@xml.apache.org by Daniel Rall <dl...@finemaltcoding.com> on 2002/09/27 19:20:41 UTC
Re: patch to correct improper handling of HTTP Basic authentication
Adam Megacz <ad...@megacz.com> writes:
> Daniel Rall <dl...@finemaltcoding.com> writes:
> > > The key concept here is that HTTP simply does not support the notion
> > > of "optional authentication".
>
> > HTTP does not support the notation of optional auth, but a XML-RPC
> > handler might (say, based on some configuration parameter).
>
> Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
> support optional authentication without violating the HTTP spec. If
> the username and password are XML-RPC values, then you can do whatever
> you like.
>
>
> > If it does not, were you trying to keep AuthenticatedXmlRpcHandler
> > authors from shooting themselves in the foot?
>
> Exactly. If the handler uses authentication, and user==null,
> returning a 401 is the *only* valid response. This is something most
> people aren't aware of, and are extremely likely to screw up.
Done, let me know if it matches up with how you were seeing it.
--
Daniel Rall <dl...@finemaltcoding.com>