W3C home > Mailing lists > Public > www-lib@w3.org > April to June 2004

Re: HTRequest only holds a single auth scheme

From: Steinar Bang <sb@dod.no>
Date: Fri, 04 Jun 2004 07:57:38 +0200
To: www-lib@w3.org
Message-ID: <87u0xruap9.fsf@dod.no>
>>>>> Steinar Bang <sb@dod.no>:

> The apache mod_auth_kerberos module by default has two
> WWW-Authenticate headers, one for "Negotiate", and one for "Basic".
> I believe this is the default behaviour for IIS as well.

> However the HTRequest structure only has room for a single
> authentication scheme, so the last WWW-Authentication header
> ("Basic" in this case) overwrites any previous values set.

> This means that my functions set with a call to HTAA_newModule(), are
> only called when I switch off password authentication.

Attached is my attempt at a patch for multiple auth schemes (diff done
against libwww CVS HEAD).  The idea is to iterate through the list in
the order the WWW-Authenticate headers occur in the HTTP response, and
if the implementation for a scheme returns HT_ERROR, skip to the next

Caveat!  This has not been extensively tested.

Received on Friday, 4 June 2004 01:57:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:33:56 UTC