cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Windows SSPI patch?

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Fri, 11 Mar 2005 16:24:33 +0100 (CET)

On Thu, 10 Mar 2005, Christopher R. Palmer wrote:

> Otherwise the patch seems to be working for me. With these two changes I
> can compile and it runs correctly.

I commited those fixes now.

>> Will it be useful and make sense to add a new bit for SSPI in the
>> curl_version_info() call?
>
> That sounds like a good idea, if for no other reason than for debugging
> problems that users have with the software.

Added that now: CURL_VERSION_SSPI

> There was one comment that I didn't address in my patch. That was the idea
> of signalling that authentication should be attempted without a
> user/password being set. As a hack, I use --user : to specify that the
> default user should be used. This seems like a pretty bad idea and that
> something better could be done. You mentioned that this had come up before
> with digest authentication?

It is an existing issue with Negotiate in exactly the same way you experience,
since that too has a concept of user credentials present without --user being
used. (KNOWN_BUGS #10)

I think the problem is that libcurl has traditionally used the user+password
as a signal that authenticaion is wanted, so apps have casually been able to
set authentication method even when no auth was actually wanted nor used. Even
curl the command line tool does this.

Thus, we cannot easily (without risking breaking a bunch of existing apps)
just switch libcurl to use authentication method to indicate this.

I have no good answer to how this is best solved, other than possibly adding a
new option, but it feels like we should be able to come up with something
better!

-- 
      Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
       Dedicated custom curl help for hire: http://haxx.se/curl.html
Received on 2005-03-11