Justus wrote:
On Wed, Apr 08, 2009 at 03:42:46AM +0000, corvid wrote:
Justus wrote:
corvid wrote:
* http digest can provide integrity protection for the request body by computing a hash over the request body, but I have no pointer to the request body, only the request URL. We might need to pass the whole request object (is there such a thing?) to the auth code instead of just the url. The code is there, just the pointer is missing. The code in auth.c will select the method without integrity protection for now, hoping that the server will accept both auth and auth-int.
It sounds like entity-body is what you get _after_ dealing with the transfer coding (chunked) but _before_ dealing with the content coding (gzip). How annoying. It sounds like it would be necessary to hack some special field into the cache entry to be used when we see a WWW-Authenticate header, at least if it was gzipped... Any hints on that one?
The ever-growing CacheEntry_t would need an EntityBody field, and in a_Cache_process_dbuf, it would go something like if (entry->TransferDecoder) { dstr1 = a_Decode_process(entry->TransferDecoder, str, len); str = dstr1->str; len = dstr1->len; } if (entry->Auth) Dstr_append_l(entry->EntityBody, str, len);
if (entry->ContentDecoder) { dstr2 = a_Decode_process(entry->ContentDecoder, str, len); str = dstr2->str; len = dstr2->len; }
And then your code will need to call something like a_Cache_get_entity_body(url).
Maybe I am the one being completly wrong here, but we're talking about the request body, right? I wouldn't expect to find that that one in the cache...
Oh, oh the request... (I don't really know the mechanics of auth at all yet, having felt content to have Jeremy and Justus as the auth experts :) Does URL_DATA(url)->str have what you might expect for POST?
I think that we should abandon auth-int, as noone else supports it (apache doesn't [0] and neither does mozilla [1]. libneon once supported it, but the code in question was removed in 2005 [2]).
I am gonna update my code to reflect that fact. Any more thoughts?
Justus
0: http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#authdigestqop 1: https://bugzilla.mozilla.org/show_bug.cgi?id=168942 2: $ grep -A 3 r462 neon27-0.28.2/ChangeLog r462 | joe | 2005-01-27 22:04:44 +0000 (Thu, 27 Jan 2005) | 7 lines
* src/ne_auth.c: Drop qop=auth-int support, sice it is universally unimplemented by servers and comes with too much baggage. (struct