Issue 22496: urllib2 fails against IIS (urllib2 can't parse 401 reply www-authenticate headers) (original) (raw)
When connecting to a IIS server, it replies that:
Unauthorized Server: Microsoft-IIS/7.5 WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1fe2ba746797cfd974e85f9f6dbdd6e514ec45becd2d8cf0112c764c676ad4a00f98517bb166e467dcad4b942254bd9b71d447e3529c509d2",charset=utf-8,realm="Digest" WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 25 Sep 2014 15:11:03 GMT Connection: close Content-Length: 0
which blew python 2.7 utllib2 like this:
File "tut2.py", line 23, in response = opener.open('https://exca010.encara.local.ads/ews/Services.wsdl') File "/usr/lib64/python2.7/urllib2.py", line 410, in open response = meth(req, response) File "/usr/lib64/python2.7/urllib2.py", line 524, in http_response 'http', request, response, code, msg, hdrs) File "/usr/lib64/python2.7/urllib2.py", line 442, in error result = self._call_chain(*args) File "/usr/lib64/python2.7/urllib2.py", line 382, in _call_chain result = func(*args) File "/usr/lib64/python2.7/urllib2.py", line 1090, in http_error_401 host, req, headers) File "/usr/lib64/python2.7/urllib2.py", line 973, in http_error_auth_reqed return self.retry_http_digest_auth(req, authreq) File "/usr/lib64/python2.7/urllib2.py", line 977, in retry_http_digest_auth chal = parse_keqv_list(parse_http_list(challenge)) File "/usr/lib64/python2.7/urllib2.py", line 1259, in parse_keqv_list k, v = elt.split('=', 1) ValueError: need more than 1 value to unpack
urllib2 seems to assume that every www-authenticate header value will be a list of equal-signe-separated tuple.
On python3, the error is different and trigger this http://bugs.python.org/issue2202 (which is soon-to-be-fixed)
Yes, urllib2 does not have any support for NTML based authentication. And it is a long pending feature request too.
For 2.7, the best way to handle this might be, instead of crashing on WWW-Authenticate: Negotiate, which is a valid response from IIS (1). It should detect it and fail with a helpful message to use a 3rdparty handler along with urllib2 [2]
And for 3.5, I think it is worthy to consider adding the support in stdlib. @Daniel Holth - I see you are the owner of it. If we choose to adopt it, do you give permission to reuse portions of code (with correct attribution) in the stdlib?
- http://msdn.microsoft.com/en-us/library/ms995330#http-sso-2_topic1
- https://code.google.com/p/python-ntlm/
I am not the copyright holder, I only maintain the pypi package for python-ntlm. I might have 10 lines of my own code in the whole package.
If running on Windows it would be great to have out of the box "native windows NTLM" which can be done somehow with the win32 module, I think...
It may also be possible to use Kerberos authentication (NTLMv2) instead of NTLM in most cases these days; since after Windows 2000 according to Wikipedia.
On Fri, Sep 26, 2014, at 01:51 AM, Senthil Kumaran wrote:
Senthil Kumaran added the comment:
Yes, urllib2 does not have any support for NTML based authentication. And it is a long pending feature request too.
For 2.7, the best way to handle this might be, instead of crashing on WWW-Authenticate: Negotiate, which is a valid response from IIS (1). It should detect it and fail with a helpful message to use a 3rdparty handler along with urllib2 [2]
And for 3.5, I think it is worthy to consider adding the support in stdlib. @Daniel Holth - I see you are the owner of it. If we choose to adopt it, do you give permission to reuse portions of code (with correct attribution) in the stdlib?
- http://msdn.microsoft.com/en-us/library/ms995330#http-sso-2_topic1
- https://code.google.com/p/python-ntlm/
assignee: -> orsenthil nosy: +dholth
Python tracker <report@bugs.python.org> <http://bugs.python.org/issue22496>