[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-dev
Subject: Re: patch to correct improper handling of HTTP Basic authentication
From: Adam Megacz <adam () megacz ! com>
Date: 2002-08-25 2:01:05
[Download RAW message or body]
Daniel Rall <dlr@finemaltcoding.com> writes:
> > The key concept here is that HTTP simply does not support the notion
> > of "optional authentication".
> HTTP does not support the notation of optional auth, but a XML-RPC
> handler might (say, based on some configuration parameter).
Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
support optional authentication without violating the HTTP spec. If
the username and password are XML-RPC values, then you can do whatever
you like.
> If it does not, were you trying to keep AuthenticatedXmlRpcHandler
> authors from shooting themselves in the foot?
Exactly. If the handler uses authentication, and user==null,
returning a 401 is the *only* valid response. This is something most
people aren't aware of, and are extremely likely to screw up.
- a
--
"Cassette tapes are killing the music industry"
-- RIAA spokesperson, 1978
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic