On Fri, 13 Jun 2003, Cris Bailiff wrote:

> Hmm - I'm getting a segfault with the current CVS with 0.9.7a. Curious.

Weird. I'm running this with 0.9.7a fine here. Have you tried doing a 'make
clean' to get rid of old leftovers?

> Whilst I'm digging around in CVS, I noticed the addition of the
> '--negotiate' and '--ntlm' flags for the new auth mechanisms. Looking at
> the curlopt library code, it seems the intention is to 'choose one' when
> making the request.
>
> I know this isn't a mature bit of code yet (paint still very wet), but this
> seems a bit 'backwards' to me. The user would have to know/guess beforehand
> which auth methods the server supports. I would have thought it more
> 'natural' to have libcurl just choose from the list of methods presented by
> the server. (You could still have flags to disable those you don't like,
> for security purposes).

I think you're absolutely right.

We could have that option for forcing libcurl to use one particular
authentication method, like if you know a certain page requires it (as it
saves a round-trip). and we could have of the options be CURLAUTH_ANY and
then libcurl would check what the remote site wants and use the most
"suitable" in an order it decides (GSS-Negotiate => Digest => NTLM => Basic,
I guess).

The question is, what would the default be? Today, libcurl uses Basic if you
use HTTP and set username+password. That means we basicly have CURLAUTH_BASIC
set by default today.

I guess the only sensible thing that doesn't introduce weird side-effects to
old users is to remain doing that as default, and allow a new option to set
the ANY option.

I can't see any reason any user would decide to NOT use a specific
authentication, if ANY is selected.

Or am I wrong?

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5