authentication help from Josh Watts on 2001-07-13 (www-lib@w3.org from July to September 2001)

From: Josh Watts <jwatts@pretorynet.com>
Date: Fri, 13 Jul 2001 12:07:20 -0400
To: <www-lib@w3.org>
Message-ID: <1EB9FCBE69B6154099DF0C4121D1503618A42A@pnisvrms001.pretorynet.com>
When I was trying to add authentication to my application, I noticed it
appeared often on the mailing list archives. I thought I'd send
information on how I got it to work. The order below is how I happened
to implement it - this is by no means set in stone.

1) You have to make sure that your application is set to interactive
mode. This is how you do it:

HTAlert_setInteractive(YES);

Most of the HTProfile clients do this for you. This is important for
Step 4.

2) Register your authentication modules. You can either brew your own or
you can use the ones provided by libwww. I'd suggest you use the ones
provided by libwww for either basic or digest authentication. If your
web server uses a different form of authentication, you have no choice
but to write your own authentication module. Here's how you do it:

HTAA_newModule("digest",HTDigest_generate,HTDigest_parse,
                            HTDigest_updateInfo,HTDigest_delete);

This only sets up digest authentication. Use the HTBasic_* functions to
set up basic authentication.

3) Delete the callback functions for the HT_A_USER_PW opcodes. This is
how you do it:

HTAlert_deleteOpcode(HT_A_USER_PW);

4) Once you've done that you have to register your own callback
functions. From what I can gather, these callback functions are only
called if you've set your application to interactive mode.This is how
you do it:

HTAlert_add(PromptUsernameAndPassword,HT_A_USER_PW);    

Below is a listing of my PromptUsernameAndPassword:

BOOL PromptUsernameAndPassword(HTRequest *request, HTAlertOpcode op,
                                                         int msgnum,
const char *dfault,
                                                         void *input,
HTAlertPar *reply)
{
    HTAlert_setReplyMessage(reply,USER);
    HTAlert_setReplySecret(reply,PASSWORD);
    return YES;
}

You'll notice that I simply send the username via
HTAlert_setReplyMessage and the password via HTAlert_setReplySecret.
Both USER and PASSWORD are #define's in my source code. You can
get the username and password from the user via a message box, standard
in, or anyway you want
to do it.

5) This is something that took me a while to figure out. You can't set
the request output's format to WWW_RAW.
Why you ask? Well, when you tell the request that you want the raw
information from the URL, it doesn't run it
through the MIME handlers. As I found out, the MIME handlers are very
important since they process the data coming from the web server. When
it gets a 401 Unauthorized, it looks at the type of authorization
required (usually either Basic or Digest) and calls the appropriate
authentication module but only if it's registered - makes Step 2 very
important. It then adds the authorication header to your original
request and re-submits the request. Here's how to set the request's
output format:

HTRequest_setOutputFormat(*request,WWW_SOURCE);

I hope this helps. If any of what I've said is inaccurate, I'm sure that
will be corrections.

My pain is your gain.

=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
Josh Watts  /  PretoryNet, Inc.
email: jwatts@pretorynet.com
Received on Friday, 13 July 2001 12:07:55 UTC