cURL / Mailing Lists / curl-users / Single Mail

curl-users

problem with http basic authentication and multiple redirects

From: Menner May <hans.juergen.may_at_googlemail.com>
Date: Tue, 25 Nov 2008 16:33:05 +0100

I'm successfully using curl and libcurl to upload and download files
using http, https, ftp, ftps and sftp, sometimes via http and socks
proxies. Fine tool.

But this time I have problems to download a file from a https site
with basic authentication. It's no problem with Firefox: typing in the
URL, filling in username and password in the Firefox basic
authentication window, and then downloading the file. But with curl,
it's failing.

With LiveHTTP Headers I could find the reason, probably. There are
some cookies, but curl can cope with that. And there are multiple
dynamic 302 redirects, forward to an Single Sign On application, and
then back again. And the client is supposed NOT to send it's basic
authentication credentials until one of those redirected pages ask for
it.

If the client sends it's basic authentication header immediatelly,
without being asked by the server, this redirection does not occur.
Instead, the server sends an 401 error page.

Is there an option in curl, maybe in conjunction with --location, to
send the basic authentication header only if requested by the server
(WWW-Authenticate: BASIC realm=...) ?

Menner

Details of the Firefox conversation:

#1 (original path)
GET /path/app?par=filename

HTTP/1.x 302 Moved Temporarily
Location: /basicbcaaa/protected/basicbcaaa/?par=BASE64ENCODEDSESSION==
Set-Cookie: sticky-key=somevalue; path=/; expires=....

#2 (redirect to sign on application)
GET /basicbcaaa/protected/basicbcaaa/?par=BASE64ENCODEDSESSION==
Cookie: sticky-key=somevalue

HTTP/1.x 401 Unauthorized
WWW-Authenticate: BASIC realm="WWW2 basic"
Set-Cookie: BCSICSAC=XY; Path=/
Set-Cookie: sticky-key=somevalue; path=/; expires=....

#3 (sign on)
GET /basicbcaaa/protected/basicbcaaa/?par=BASE64ENCODEDSESSION==
Cookie: sticky-key=somevalue; BCSICSAC=XY
Authorization: Basic aBcDeFaBcDeFaBcDeFaBcDeF

HTTP/1.x 302 Moved Temporarily
Location: /path/app?par=filename;cookiename=cookievalue
Set-Cookie: COOKIENAME=COOKIEVALUE; Path=/
Set-Cookie: SSOCookie=BASE64ENCODED-SSOTOKEN==; Path=/
Set-Cookie: sticky-key=somevalue; path=/; expires=....

#4 (redirect to original application, with session id)
GET /path/app?par=filename;cookiename=cookievalue
Cookie: sticky-key=somevalue; BCSICSAC=XY; COOKIENAME=COOKIEVALUE;
SSOCookie=BASE64ENCODED-SSOTOKEN==

HTTP/1.x 302 Moved Temporarily
Location: /path/app?par=filename
Set-Cookie: COOKIENAME=COOKIEVALUE; Path=/
Set-Cookie: sticky-key=somevalue; path=/; expires=....

#5 (again, original request, this time with some cookies)
GET /path/app?par=filename
Cookie: sticky-key=somevalue; BCSICSAC=XY; COOKIENAME=COOKIEVALUE;
SSOCookie=BASE64ENCODED-SSOTOKEN==

HTTP/1.x 200 OK
Content-Type: application/x-download
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2008-11-25