| msg146842 - (view) |
Author: David Fischer (dfischer) |
Date: 2011-11-02 16:06 |
| I ran into an application that responded with two www-authenticate challenges to an HTTP request. First, it sends a standard Basic authentication challenge and then it also returns a www-authenticate header referencing another scheme. This looks legal to me according to rfc2617. However, the regex in AbstractBasicAuthHandler that parses the www-authenticate header only grabs one of the challenges (the last one) and therefore urllib2 will not respond to the challenge with credentials. |
|
|
| msg146866 - (view) |
Author: Martin v. Löwis (loewis) *  |
Date: 2011-11-02 18:43 |
| > I ran into an application that responded with two www-authenticate > challenges to an HTTP request. First, it sends a standard Basic > authentication challenge and then it also returns a www-authenticate > header referencing another scheme. What exactly do you mean by "then"? In HTTP, there is only a single response to a single request, so in what way does the server send two responses to a single request? |
|
|
| msg146867 - (view) |
Author: David Fischer (dfischer) |
Date: 2011-11-02 18:47 |
| Perhaps I should have chosen my words more carefully. There are two www-authenticate headers the single HTTP response. |
|
|
| msg146870 - (view) |
Author: Martin v. Löwis (loewis) * |
Date: 2011-11-02 19:15 |
| So what do you propose to do? RFC 2617 specifies The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. |
|
|
| msg146875 - (view) |
Author: David Fischer (dfischer) |
Date: 2011-11-02 20:11 |
| I think the key words in the RFC are "strongest auth-scheme it understands". I think in an ideal world, the urllib2 opener (given its handlers) would see that it doesn't understand the second auth-scheme and then see if it understands the first one. However, the term "strongest" implies an ordering among the auth schemes. |
|
|
| msg146981 - (view) |
Author: Martin v. Löwis (loewis) * |
Date: 2011-11-03 21:25 |
| Would you like to provide a patch? |
|
|
| msg147193 - (view) |
Author: David Fischer (dfischer) |
Date: 2011-11-06 22:51 |
| With this patch, the AbstractBasicAuthHandler (and its subclasses) performs a regex search on the amalgamated "www-authenticate" header for basic authentication. This fixes the case where you have an HTTP response of the form: HTTP/1.1 401 Authorization Required Server: HTTPd/1.0 WWW-Authenticate: Basic realm="Secure Area" WWW-Authenticate: SomethingElse realm="Alternative" ... In the above case, AbstractBasicAuthHandler will attempt basic auth against the "Secure Area" realm. |
|
|
| msg196783 - (view) |
Author: Sigmund Augdal (Sigmund.Augdal) |
Date: 2013-09-02 14:46 |
| Can someone please apply this patch or provide a reason why it should not be applied? |
|
|
| msg196784 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2013-09-02 15:31 |
| Sigmund: Sorry for the delay. I shall act on this. |
|
|
| msg235670 - (view) |
Author: Martin Panter (martin.panter) * |
Date: 2015-02-10 06:39 |
| Issue 15310 appears to have a more thorough patch |
|
|