Re: http-request authentication missing realm? from Norman Walsh on 2008-12-10 (public-xml-processing-model-comments@w3.org from December 2008)

From: Norman Walsh <ndw@nwalsh.com>
Date: Wed, 10 Dec 2008 09:04:04 -0500
To: public-xml-processing-model-comments@w3.org
Message-ID: <m2ej0gf7or.fsf@nwalsh.com>

Toman_Vojtech@emc.com writes:
> Providing p:http-request with an explicit realm option would only make
> sense to me if p:http-request contained some logic for determining which
> username/password to pick for a particular authentication realm.

Well, the c:request object provides options for specifying a username
and password and telling the processor to attempt to authorize on the
first attempt, skipping the challenge.

But this request:

  <c:request username="myname" password="mypsw" auth-method="Digest"
             send-authorization="true" .../>

is bound to fail because the digest can't be computed without the
realm. (For basic authentication, the realm doesn't really matter.)

OTOH, digest authentication involves some sort of nonce, so maybe you
can't succeed w/o the challenge anyway. Yeah. Nevermind. Ignore me.

I think the bottom line is, send-authorization=true is useless if
you're doing digest auth, but that's just the way it is.

                                        Be seeing you,
                                          norm

-- 
Norman Walsh <ndw@nwalsh.com> | The condition of an enlightened mind is
http://nwalsh.com/            | a surrendered heart.--Alan Redpath

Received on Wednesday, 10 December 2008 14:04:49 UTC