Maurizio Lotauro wrote: >> Digest authentication requires at least one server challenge per >> protection space (realm). This is similar to basic authentication >> which may use a realm as challenge (currently not supported by basic >> in both THttpCli and THttpServer). > > The last sentence is not clear to me, can you explain?
This was not quite correct since the THttpServer actually allows to specify a realm with basic authentication as well. However it is not easy in the THttpCli to obtain this value unless you parse the AuthorizationRequest list. Both Basic and Digest server responses include a realm: RFC 2617: " 2 Basic Authentication Scheme The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm. The realm value should be considered an opaque string which can only be compared for equality with other realms on that server. The server will service the request only if it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters. " Also, both do not require a persistant connection and both require just a _single server challenge, that's the similarity I meant. >> Any thoughts and suggestions? > > I already made a similar change. I have a modified version of > THttpCli where I changed how the authentication is handled, so it is > very easy to add a new one, and without touching the THttpCli class. > As support I added an event so the authentication can be handled by > the application or by an inherited class. > In fact I have a derived class that ask for user and password and > cache these information so it will not ask again. Something like that is required, also because current authentication code in the THttpCli is a complicated nightmare, error-prone and contains plenty of duplicated code. > > All this is at least three year old and I think it can be considered > stable. If you want I can send it to you. But keep in mind that after > our recent discussion about the authentication problem with Tomcat I > planned to revise it to avoid the double request. Yes, please send it as PM. -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
