On Thu, 17 Jul 2014, Michael Osipov wrote:
WWW-Authenticate: Basic ream="A"
WWW-Authenticate: Basic ream="B"
That makes no sense and is incorrect.
Is it really? What if it has two overlapping realms and offer you to login to
any of them to access that resource?
I'm fully convinved you will find servers out there returning headers like
that.
$ curl --verbose --basic -u michael-o:secret http://<host> -o /dev/null
The client has never been challenged to authenticate but performs preemptive
auth, thus disclosing his password.
Yes, because you're asking for it!
I don't see a need for --preemptive.
The above shows the need.
I disagree. Use --anyauth instead of --basic and it'll probe and use whatever
method the server and curl agree to use.
If there's a missing option it would then rather be one that allows you to say
"I only want to use {basic,digest,ntlm,...} but I still want to probe first" -
which libcurl can do but that ability isn't exposed to the command line tool
afair.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
