[HTTP] patch for HTTP digest auth with unquoted values

William Waites wwaites at tardis.ed.ac.uk
Wed Jan 4 10:04:41 GMT 2012


On Wed, 04 Jan 2012 06:52:24 +0000, Ganesh Sittampalam <ganesh at earth.li> said:

    ganesh> Before applying this to HTTP, I'd like (a) a test added to
    ganesh> test/httpTests.hs (b) a reference for why it's ok, e.g. a
    ganesh> reference to the RFC and/or details of what server sends
    ganesh> this

Hi Ganesh,

Actually it's probably better to wait before applying this. There
needs some more done before digest authentication will actually work.

For (b), RFC2617 section 3.2.1,

      algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token )

The server in question, I'm not actually sure what it is. It doesn't
identify itself. I believe it is something based on the Java jetty
stuff. But tokens without quotes are definitely allowed. It seems
reasonable but not strictly required by the RFC to treat algorithm=MD5
as equivalent to algorithm="MD5". I'll contact the server operator to
see if they can fix it to something following the RFC a bit more
closely, but other clients like curl and wget and python's urllib2 all
understand this.

The reason the haskell client still won't work properly is,

  (Section 3.2.2)

  cnonce
     This MUST be specified if a qop directive is sent (see above), and
     MUST NOT be specified if the server did not send a qop directive in
     the WWW-Authenticate header field.

Right now the client does not ever use cnonce.

A first cut just to check that the basic mechanism works, setting up a
dummy cnonce value, "abc123", and calculating the response, I can get
it to work. To do this properly, we need to generate the cnonce value
somehow, which means moving the function into some
monad. BrowserAction is suggested in the comment at the top of the
function, but doing that directly would cause an import loop. So it
looks like some refactoring might be necessary.

Any suggestion about how to do this would be welcome - I'm still
fairly new to haskell and not entirely sure how best to go about it.

In any event, next patch will have some tests.

Cheers,
-w
--
	       William Waites <wwaites at tardis.ed.ac.uk>
 Visiting Researcher, Laboratory for Foundations of Computer Science
	    School of Informatics, University of Edinburgh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://projects.haskell.org/pipermail/http/attachments/20120104/53557804/attachment.pgp>


More information about the HTTP mailing list