xml-rpc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Rall <...@finemaltcoding.com>
Subject Re: patch to correct improper handling of HTTP Basic authentication
Date Fri, 27 Sep 2002 17:20:41 GMT
Adam Megacz <adam@megacz.com> writes:

> Daniel Rall <dlr@finemaltcoding.com> writes:
> > > The key concept here is that HTTP simply does not support the notion
> > > of "optional authentication".
> 
> > HTTP does not support the notation of optional auth, but a XML-RPC
> > handler might (say, based on some configuration parameter).
> 
> Er, if HTTP Basic authentication is being used, then XML-RPC *cannot*
> support optional authentication without violating the HTTP spec.  If
> the username and password are XML-RPC values, then you can do whatever
> you like.
> 
> 
> > If it does not, were you trying to keep AuthenticatedXmlRpcHandler
> > authors from shooting themselves in the foot?
> 
> Exactly.  If the handler uses authentication, and user==null,
> returning a 401 is the *only* valid response.  This is something most
> people aren't aware of, and are extremely likely to screw up.

Done, let me know if it matches up with how you were seeing it.
-- 

Daniel Rall <dlr@finemaltcoding.com>

Mime
View raw message