On Mon, 20 Oct 2003, Roth, Kevin P. wrote:

> THANKS for fixing the double-prompting for NTLM!

I've actually done some pretty major changes under the surface in the password
prompting area. I ripped out the whole prompting stuff from the library and
put it in the client code. This made it a lot nicer and fixed the
double-prompting immediately.

> I see that you fixed this, by adding the user-name to the password prompt. I
> think that's a perfect solution, and it works really nicely...

Yes, I also include info about if the user/passwd is used for a host or for a
proxy. I think it turned out nice.

> I also see you added a new "* Server auth" info line during --anyauth
> processing, which also looks great!

Now you get a better understanding for what libcurl is actually doing and what
auth system it picked etc.

All based on your feedback. I'm grateful. I'm too focused on the technical
details at times so I forget these little minor changes that makes it so much
nicer and better for the end user.

> I found another problem (or two) with --anyauth.

This troubles me. At least the second one. See below.

> But, if I leave off the username, I end up with a Segmentation Fault.
> The sequence is that request 1 obtains the WWW-AUthenticate response
> headers, request 2 begins the NTLM authentication sequence, and request
> three looks like this:
> * Ignoring the response-body
> * Connection #0 left intact
> * Issue another request to this URL: 'http://mpweb.fdy.moc.com/sapportal/'
> Segmentation fault (core dumped)

I've been messing around with how the user name and password is stored and
kept within libcurl and it might possibly be why this happens. I can't repeat
this myself, but then I don't have a live NTLM-server to try against, I can
only setup static test cases that mimic NTLM.

I've now once again gone over the code and changed how the user name/password
is handled, and I think it will work better now. I'll build a pre5 package
later today or so, to make sure this truly is fixed.

BTW, no -u option is now making this operation use an empty user name and an
empty password.

> $ curl -v http://testweb.fdy.moc.com/__test/sendmail.asp \
> --anyauth -u DOMAIN\\USER
> Enter host password for user 'DOMAIN\USER':
> * About to connect() to testweb.fdy.moc.com:80
> * Connected to testweb.fdy.moc.com (89.2.45.40) port 80
> > GET /__test/sendmail.asp HTTP/1.1

[snip]

> As you can see, no attempt at authentication occurred. The difference
> between this example (which fails) and the previous one (that works) is the
> extra "WWW-Authenticate: Basic ..." header.

This is a mystery. I've been trying to repeat this with various setups, but
I've failed (test case 91 was added to CVS). When I make a test case that
seems to return exactly these WWW-Authenticate headers, I get curl to pick
NTLM and use that for authentication...

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54