cURL / Mailing Lists / curl-library / Single Mail

curl-library

Auth regression

From: Joe Mason <jmason_at_rim.com>
Date: Tue, 23 Oct 2012 04:56:17 +0000

I've added a new auth test at https://github.com/JoeNotCharles/curl/commits/auth_state (top commit)

It uses one connection and sends 6 requests on it, each with CURLAUTH_ALL. Each even-numbered request uses credentials "testuser:wrongpass" (will fail auth) and each odd-numbered request uses credentials "testuser:testpass". The server side of the test will reply to the first two requests with WWW-Authenticate: Basic (only), the next two with Digest (only), and the last two with NTLM (only). So, this tests that different types of auth can be used over the same connection when the auth type allowed by the user is not artificially restricted as in the previous auth tests.

This is a valid real-world test because it's not uncommon for different directories on the same server to have different auth types enabled (controlled by .htaccess files, for instance) and requests to different directories on the same server should reuse the same connection, so responses from the server on the same connection may in fact have different WWW-Authenticate headers.

I'm pretty sure the expected input and output for this test are correct - I tested it by testing the 2 requests for each auth type separately. But note that there's no version of curl that will currently pass it. Before sha ce8311c7e49eca93c136b58efa6763853541ec97, after the two Basic requests, the Digest and NTLM requests will never be sent because auth->picked is still set to Basic. After that SHA, curl does not remember what the server claimed to support in the last request.

Tomorrow I'll start trying to find a solution. In the meantime, can anyone spot any problems with the test or other cases that should be added?

Joe

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-23