cURL / Mailing Lists / curl-library / Single Mail

curl-library

extra requests sent when using HTTPAUTH_DIGEST

From: Joe Mason <jmason_at_rim.com>
Date: Fri, 13 Apr 2012 14:17:13 +0000

As I understand HTTPAUTH, if I get a URL and the server returns a 401 response with a "WWW-Authenticate" header, I should resend the request with an Authorization header. And if I understand curl, it's supposed to be able to construct the Authorization header behind the scenes.

I've found that whenever I do this, when I call perform on the second request, curl actually sends 2 requests - one with Authorization and one without.

Here's a small test case using python:

#!/usr/bin/env python
from pycurl import *

def sendRequest(headerCallback, authtype = HTTPAUTH_NONE, username = "", password = ""):
    def swallow(buf):
        pass
    curl = Curl()
    curl.setopt(WRITEFUNCTION, swallow)
    curl.setopt(HEADERFUNCTION, headerCallback)
    curl.setopt(URL, "http://localhost/test2.php")
    if authtype != HTTPAUTH_NONE:
        curl.setopt(HTTPAUTH, authtype)
        curl.setopt(USERPWD, username + ":" + password)
    curl.perform()

def printHeaders(buf):
    print "Header: " + buf.strip()
    if buf.lower().find("www-authenticate") >= 0:
        raw_input("Hit enter to continue")
        sendRequest(printHeaders2, HTTPAUTH_DIGEST, "guest", "guest")

def printHeaders2(buf):
print "Header2: " + buf.strip()

sendRequest(printHeaders)

When I run this, I see this output in my server logs (including "req: <Authorization header from request> resp: <WWW-Authenticate header from response>")

127.0.0.1 - - [13/Apr/2012:10:13:57 -0400] "GET /test2.php HTTP/1.1" 401 367 "-" "PycURL/7.21.6" req:"-" resp:"Digest realm=\"Restricted area\",qop=\"auth\",nonce=\"4f8834a527618\",opaque=\"cdce8a5c95a1427d74df7acbf41c9ce0\""
(pause for input here)
127.0.0.1 - - [13/Apr/2012:10:13:59 -0400] "GET /test2.php HTTP/1.1" 401 367 "-" "PycURL/7.21.6" req:"-" resp:"Digest realm=\"Restricted area\",qop=\"auth\",nonce=\"4f8834a7d6315\",opaque=\"cdce8a5c95a1427d74df7acbf41c9ce0\""
127.0.0.1 - - [13/Apr/2012:10:13:59 -0400] "GET /test2.php HTTP/1.1" 200 220 "-" "PycURL/7.21.6" req:"Digest username=\"admin\", realm=\"Restricted area\", nonce=\"4f8834a7d6315\", uri=\"/test2.php\", cnonce=\"NTM0Mjg4\", nc=00000001, qop=\"auth\", response=\"b6efc44cb2390ca8be1e70c8d7964719\", opaque=\"cdce8a5c95a1427d74df7acbf41c9ce0\"" resp:"-"

And this is the output of the script:

Header: HTTP/1.1 401 Unauthorized
Header: Date: Fri, 13 Apr 2012 14:13:57 GMT
Header: Server: Apache/2.2.20 (Ubuntu)
Header: X-Powered-By: PHP/5.3.6-13ubuntu3.6
Header: WWW-Authenticate: Digest realm="Restricted area",qop="auth",nonce="4f8834a527618",opaque="cdce8a5c95a1427d74df7acbf41c9ce0"
Hit enter to continue
Header2: HTTP/1.1 401 Unauthorized
Header2: Date: Fri, 13 Apr 2012 14:13:59 GMT
Header2: Server: Apache/2.2.20 (Ubuntu)
Header2: X-Powered-By: PHP/5.3.6-13ubuntu3.6
Header2: WWW-Authenticate: Digest realm="Restricted area",qop="auth",nonce="4f8834a7d6315",opaque="cdce8a5c95a1427d74df7acbf41c9ce0"
Header2: Vary: Accept-Encoding
Header2: Content-Length: 39
Header2: Content-Type: text/html
Header2:
Header2: HTTP/1.1 200 OK
Header2: Date: Fri, 13 Apr 2012 14:13:59 GMT
Header2: Server: Apache/2.2.20 (Ubuntu)
Header2: X-Powered-By: PHP/5.3.6-13ubuntu3.6
Header2: Vary: Accept-Encoding
Header2: Content-Length: 27
Header2: Content-Type: text/html
Header2:
Header: Vary: Accept-Encoding
Header: Content-Length: 39
Header: Content-Type: text/html
Header:

So clearly what's happening here is that when I call perform the second time, curl sends a second request without the Authorized header (to which my server sends another 401) followed by the request with Authorization (to which my server sends 200).

Am I doing something wrong?

Thanks,
Joe

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-13

This message: [ Message body ]
Next message: Howard: "Newbie question about POST command using libcurl"
Previous message: Dan Fandrich: "Re: curlrules.h:143: error: size of array __curl_rule_01__ is negative in RH Linux"
Next in thread: Marc Hoersken: "Re: extra requests sent when using HTTPAUTH_DIGEST"
Reply: Marc Hoersken: "Re: extra requests sent when using HTTPAUTH_DIGEST"
Maybe reply: Daniel Stenberg: "RE: extra requests sent when using HTTPAUTH_DIGEST"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]