curl-library
Re: PUT with digest auth, sends HEAD #1054859
Date: Thu, 4 Nov 2004 21:17:22 +0100 (CET)
On Thu, 4 Nov 2004, Jamie Lokier wrote:
> You must implement this logic anyway, for _all_ requests. Any request can
> return an error code and the server may or may not close the connection
> after it.
This is already supported and dealt with.
> That means you issue a request, and if 401 is received, you get credentials
> ready and issue another _independent_ request.
This too is already what happens. It may or may not re-use the connection when
doing auth. But for NTLM it is necessary that it re-uses the connection or
else the auth will fail.
> For maximum performance, you shouldn't even try to use the same connection
> for the second request. Just let the normal pool reuse occur.
... this is what we do!
> That improves throughput if the libcurl user is issuing several concurrent
> requests already, and you are already pipelining them by the time a 401 from
> one of them is received.
But we have no pipeline support in libcurl yet! ;-)
>> Yes, NTLM is the one that has caused me the most headache and since I
>> prefer using the same method for all multi-pass methods, this is where we
>> are now: in the wrong corner. ;-)
>
> Do you strictly depend on all auth methods using the same connection?
No. But I want the same procedure anyway.
> If you do get a trace of Microsoft clients and NTLM, then hopefully one of
> these will be true:
>
> 1. Some magic parameter is carried from the 401 response to the
> next request, and it doesn't really need to use the same connection.
>
> 2. The NTLM server does close the connection for large PUTs, even if
> it doesn't for small ones.
>
> 3. The Microsoft client doesn't use PUT, it uses something else with
> no request body for auth, just like curl uses HEAD.
Option 2 would need to imply option 1 somehow to allow it to work even though
the connection is closed.
You also forgot this option
4. The Microsoft client sends the PUT data twice, unconditonally.
The worst part is that I'm not sure which one of these I hope it'll turn out
to be!
> Since I don't live in a Microsoft universe or using anything other than Word
> and IE for testing, I've never encountered NTLM-over-HTTP personally. It's
> a shame there's no RFC (I didn't find one).
Vendor lock-ins wouldn't be vendor lock-ins if they documented them. :-)
The best NTLM docs I know is Eric Glass'. I keep a copy of it here:
http://curl.haxx.se/rfc/ntlm.html
-- Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se Dedicated custom curl help for hire: http://haxx.se/curl.htmlReceived on 2004-11-04