W3C home > Mailing lists > Public > www-amaya@w3.org > April to June 2003

Re: Digest Access Authentication probably broken

From: Jose Kahan <jose.kahan@w3.org>
Date: Thu, 10 Apr 2003 12:22:42 +0200
To: Henryk Pl?tz <henryk@ploetzli.ch>
Cc: www-amaya@w3.org
Message-ID: <20030410102242.GG10367@inrialpes.fr>

Hello Henryk,

Looking at my code comments, I noted that we don't handle auth-int. The
case where the server sends both values must be something we never tried
before. So it must be a bug.

Can you tell me which server you were using or open me an access so that
I can debug and fix this problem? The latter would be the fastest.

-jose

On Sat, Mar 29, 2003 at 06:49:38AM +0100, Henryk Pl?tz wrote:
> 
> I've been playing around with Amaya 7.2 under Gentoo Linux with kernel
> 2.4.20 and Digest Access Authentication. But as soon as the server
> started sending qop="auth, auth-int" in it's WWW-Authenticate response
> header, Amaya was unable to authenticate any longer while Mozilla worked
> fine.
> 
> By modifying the server code I found that Amaya uses "auth, auth-int"
> (without the quotes of course) as value for unq(qop-value) in the
> calculation of the request-digest (RFC 2617, section 3.2.2.1), while RFC
> 2617 clearly states that it "... MUST be one of the alternatives the
> server indicated it supports in the WWW-Authenticate header. [...] Note
> that this is a single token, not a quoted list of alternatives as in
> WWW-Authenticate." (section 3.2.2)
> 
> So, if I'm not mistaken this is a bug in Amaya, isn't it?

[snip]
Received on Thursday, 10 April 2003 06:22:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:30:41 UTC