- From: Jose Kahan <jose.kahan@w3.org>
- Date: Thu, 10 Apr 2003 12:22:42 +0200
- To: Henryk Pl?tz <henryk@ploetzli.ch>
- Cc: www-amaya@w3.org
Hello Henryk, Looking at my code comments, I noted that we don't handle auth-int. The case where the server sends both values must be something we never tried before. So it must be a bug. Can you tell me which server you were using or open me an access so that I can debug and fix this problem? The latter would be the fastest. -jose On Sat, Mar 29, 2003 at 06:49:38AM +0100, Henryk Pl?tz wrote: > > I've been playing around with Amaya 7.2 under Gentoo Linux with kernel > 2.4.20 and Digest Access Authentication. But as soon as the server > started sending qop="auth, auth-int" in it's WWW-Authenticate response > header, Amaya was unable to authenticate any longer while Mozilla worked > fine. > > By modifying the server code I found that Amaya uses "auth, auth-int" > (without the quotes of course) as value for unq(qop-value) in the > calculation of the request-digest (RFC 2617, section 3.2.2.1), while RFC > 2617 clearly states that it "... MUST be one of the alternatives the > server indicated it supports in the WWW-Authenticate header. [...] Note > that this is a single token, not a quoted list of alternatives as in > WWW-Authenticate." (section 3.2.2) > > So, if I'm not mistaken this is a bug in Amaya, isn't it? [snip]
Received on Thursday, 10 April 2003 06:22:50 UTC