Re: Syntax (and other) problems in Digest spec from Life is hard... and then you die. on 1997-11-20 (ietf-http-wg@w3.org from October to December 1997)

From: Life is hard... and then you die. <Ronald.Tschalaer@psi.ch>
Date: Thu, 20 Nov 1997 17:38:49 +0100
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <34746799.CB66E3D8@psi.ch>

The changes Scott proposes look good. I do have one comment though:

>   Ronald also
>   pointed out that RFC2069 did not require the 'realm' parameter to be
>   the first authentication parameter.  It looks to me as though this
>   was actually an attempt to write the fact that this parameter was
>   required into the syntax, and since there is no ambiguity created by
>   removing that requirement, I would prefer to see the more general
>   syntax used in 2069.
> 
>   The point may be made that some existing browsers may be broken by
>   this in that they may have coded to the 1945/2068 general rule.
>   I've done considerable testing in this area and have found that
>   browsers fall into two categories:
>     - They recognize that a challenge is not basic and give up,
>       displaying an error to the user saying that they can't deal with
>       this server.
>     - They just send basic credentials no matter what the challenge is
>       and it doesn't work.
>   Browser vendors are invited to figure out which thier product does...
> 
>   In either case, changing the spec won't have any effect.

Changing this will affect at least old versions of my code, as it will
throw an exception during the parsing when the realm is not the first
param, before it even realizes that it may be an authentication scheme
it can't handle anyway (the parsing into params is a lower level process
than handling the specific scheme). I don't know which clients Scott
tested, but there are quite a few http client libraries and embeded
clients around, and I wouldn't be surprised if a number of them also use
a two level scheme. Now my only (slight) worry is that the proposed
change might confuse end users unnecessarily because of a misleading
error (i.e. a parse error instead of an unknown auth scheme error).

To help alleviate this I propose adding the following words:

>   These changes make the general syntax (now presented in 2068 section
>   11 - Access Authentication):
> 
>   ================
>          challenge      = auth-scheme 1*SP 1#auth-param
>          credentials    = basic-credentials
>                           | auth-scheme #auth-param
>          auth-param     = token "=" ( token | quoted-string )
> 
>     The authentication parameter 'realm' is defined for all
>     authentication schemes:
> 
>          realm          = "realm" "=" quoted-string

      Some older clients include parsers expecting the rfc-2068
      authentication syntax which requires the realm to be the first
      parameter in a challenge. While the above syntax does not require
      this anymore, server implementers are nevertheless encouraged
      to ensure that the realm is indeed the first parameter in a
      challenge whenever possible.

>   ================

As I noted before, most servers seem to do this anyway.


  Cheers,

  Ronald

Received on Thursday, 20 November 1997 08:41:21 UTC