#36 HttpDigest authentication patch

zsi (12)

The HTTP Digest authentication (see patch 1291199) has
some bugs that prevent it from proper working, e.g with
apache2 web server.

This is a patch for Bug with Request ID 1593310

The patch was done compared to SVN trunk, revision 1298
from 09 Nov 2006

What was changed:
- uri in digest authentication header is not complete
uri, but only directory on server ("/" as default)

- digest authentication header in server response
(Err 401) is parsed correctly, which allows e.g. white
spaces inside quotes


  • Martin Dittmar

    Martin Dittmar - 2006-11-09

    The complete patched file

  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25
    • assigned_to: nobody --> boverhof
    • status: open --> open-accepted
  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25

    Logged In: YES
    Originator: NO

    Investigation of request-uri


    credentials = "Digest" digest-response
    digest-response = 1#( username | realm | nonce | digest-uri
    | response | [ algorithm ] | [cnonce] |
    [opaque] | [message-qop] |
    [nonce-count] | [auth-param] )

    digest-uri = "uri" "=" digest-uri-value
    digest-uri-value = request-uri ; As specified by HTTP/1.1 Various considerations

    The "Method" value is the HTTP request method as specified in section
    5.1.1 of [2]. The "request-uri" value is the Request-URI from the
    request line as specified in section 5.1.2 of [2]. This may be "*",
    an "absoluteURL" or an "abs_path" as specified in section 5.1.2 of
    [2], but it MUST agree with the Request-URI. In particular, it MUST
    be an "absoluteURL" if the Request-URI is an "absoluteURL".


    Request-URI = "*" | absoluteURI | abs_path | authority

    And it gives two examples, which request the same page with different "Request-URI"'s

    GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

    GET /pub/WWW/TheProject.html HTTP/1.1
    Host: www.w3.org

    So this is the wrong place to fix this bug

    I fixed it in the "client.py" code:

    $ svn diff client.py
    Index: client.py
    --- client.py (revision 1322)
    +++ client.py (working copy)
    @@ -273,8 +273,8 @@
    print >>self.trace, soapdata

    #scheme,netloc,path,nil,nil,nil = urlparse.urlparse(url)
    - path = _get_postvalue_from_absoluteURI(url)
    - self.h.putrequest("POST", path)
    + request_uri = _get_postvalue_from_absoluteURI(url)
    + self.h.putrequest("POST", request_uri)
    self.h.putheader("Content-Length", "%d" % len(soapdata))
    self.h.putheader("Content-Type", 'text/xml; charset=utf-8')
    @@ -291,7 +291,7 @@
    elif self.auth_style == AUTH.httpdigest and not headers.has_key('Authorization') \ and not headers.has_key('Expect'):
    def digest_auth_cb(response):
    - self.SendSOAPDataHTTPDigestAuth(response, soapdata, url, soapaction, **kw)
    + self.SendSOAPDataHTTPDigestAuth(response, soapdata, request_uri, soapaction, **kw)
    self.http_callbacks[401] = None
    self.http_callbacks[401] = digest_auth_cb

  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25
    • status: open-accepted --> pending-accepted
  • Joshua Boverhof

    Joshua Boverhof - 2007-01-25

    Logged In: YES
    Originator: NO

    Investigation of challenge dict:

    I created a unittest from rfc2617 to demonstrate what I believe is correct behavior, I think you demonstrated that fetch_challenge is incomplete. However I think the patch you provided here is lacking because it doesn't ignore whitespace in some cases, so I rewrote it using re.

    Please verify that this is working in branch:
    svn co https://pywebsvcs.svn.sourceforge.net/svnroot/pywebsvcs/branches/ZSI_v2_0_0

    python test_digest_auth.py

    Basic realm="WallyWorld"

    CORRECT: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    PATCH: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    OLD: {'challenge': 'Basic', 'realm': 'WallyWorld'}
    Basic realm="Wally World"
    CORRECT: {'challenge': 'Basic', 'realm': 'Wally World'}
    PATCH: {'challenge': 'Basic', 'realm': 'Wally World'}
    OLD: {'challenge': 'Basic', 'realm': 'Wally'}
    CORRECT: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093', 'challenge': 'Digest', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': 'testrealm@host.com', 'qop': 'auth,auth-int'}
    PATCH: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093', 'challenge': 'Digest\n', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': 'testrealm@host.com', 'qop': 'auth,auth-int'}
    OLD: {'nonce': 'dcd98b7102dd2f0e8b11d0f600bfb0c093\n', 'challenge': 'Digest\n', 'opaque': '5ccc069c403ebaf9f0171e9517f40e41', 'realm': 'testrealm@host.com\n', 'qop': 'authauth-int\n'}

  • SourceForge Robot

    • status: pending-accepted --> closed-accepted
  • SourceForge Robot

    Logged In: YES
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks