[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-dev
Subject:    Re: patch to correct improper handling of HTTP Basic authentication
From:       Adam Megacz <adam () megacz ! com>
Date:       2002-08-25 2:01:05
[Download RAW message or body]


Daniel Rall <dlr@finemaltcoding.com> writes:
> > The key concept here is that HTTP simply does not support the notion
> > of "optional authentication".

> HTTP does not support the notation of optional auth, but a XML-RPC
> handler might (say, based on some configuration parameter).

Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
support optional authentication without violating the HTTP spec.  If
the username and password are XML-RPC values, then you can do whatever
you like.


> If it does not, were you trying to keep AuthenticatedXmlRpcHandler
> authors from shooting themselves in the foot?

Exactly.  If the handler uses authentication, and user==null,
returning a 401 is the *only* valid response.  This is something most
people aren't aware of, and are extremely likely to screw up.

  - a


-- 
"Cassette tapes are killing the music industry"
                             -- RIAA spokesperson, 1978
[prev in list] [next in list] [prev in thread] [next in thread]