Cordial thanks, Christian, for the prompt reaction! It is a pity that I cannot make the test now, as I am at home where I have no access to the service in question. The test will be the first thing to do Monday morning - looking forward to it, and I shall report immediately! Cheers,Hans-Juergen
Christian Grün <christian.gr...@gmail.com> schrieb am 19:17 Freitag, 20.Februar 2015: Yet another update: I added the missing quotes in the client request. It didn't make a difference with the browsers I tried, but it might make a difference with other applications.. The new snapshot [1] is available since appr. four seconds, Christian [1] http://files.basex.org/releases/latest/ On Fri, Feb 20, 2015 at 6:43 PM, Christian Grün <christian.gr...@gmail.com> wrote: > Hi Hans-Jürgen, > > Thanks for the in-depth feedback on our client-side digest > authentication. I have now included the algorithm in the client > request (I thought the value was optional [1], but this may well be > wrong). The length of the cnonce string shouldn't matter (..I > think..). > > Could you please try the latest snapshot [2] and see if your server > accepts the sent requests? If it doesn't, it may be the missing > quotes.. > > Thanks in advance! > Christian > > [1] http://en.wikipedia.org/wiki/Digest_access_authentication#Overview > [2] http://files.basex.org/releases/latest > > > > On Fri, Feb 20, 2015 at 5:40 PM, Hans-Juergen Rennau <hren...@yahoo.de> wrote: >> Dear BaseX team, >> >> I have problems to get the http:send-request going when using Digest >> authentication. I get a response as if the password were wrong, although I >> think it isn't. >> >> Request: >> <http:request method='post' send-authorization='true' >> username='foofoo' password='secret' auth-method="Digest"> >> <http:body media-type='text/xml' >> method='xml'>{$useMsg}</http:body> >> </http:request> >> >> Response: >> <http:response xmlns:http="http://expath.org/ns/http-client" >> status="401" message="Unauthorized"> >> <http:header name="Server" value="Apache/2.2.22 (Ubuntu)"/> >> <http:header name="WWW-Authenticate" value="Digest >> realm="traveltainment", qop="auth", >> nonce="1424448664077:8d932e72fb644113f4fb1a76f942cf1d", >> opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW""/> >> <http:header name="Connection" value="close"/> >> <http:header name="Vary" value="Accept-Encoding"/> >> <http:header name="Content-Length" value="954"/> >> <http:header name="Date" value="Fri, 20 Feb 2015 16:11:04 GMT"/> >> <http:header name="Content-Type" value="text/html;charset=utf-8"/> >> </http:response> >> >> Interestingly, a JMeter test using the same URL, user name and password >> works correctly. (I used copy & paste to transfer the credentials from the >> JMeter GUI into the XQuery code, and the credentials are just what some >> documentation tells me; tried of course also typing them in manually.) >> >> Using WireShark, I observed the messages sent by JMeter and BaseX, >> respectively. BaseX does send two requests, as it is supposed to do; but the >> authorization data sent by the second one are in two respects different from >> the data sent by JMeter: JMeter sends a field: algorithm="MD5", which BaseX >> does not, and the cnonce is much longer. (See below for the authorization >> strings.) >> >> I use Java 8, and I suspect the problem is connected with that. I heard >> rumours that Digest authentication with Java 8 might require a little >> adaptation of the code. Did you try the module using Java8? >> >> Cheers, >> Hans-Juergen >> >> PS: >> (1) Authentication sent by BaseX, failing: >> >> User-Agent: Java/1.8.0_31 >> >> Authorization: Digest username=foofoo, >> realm=traveltainment, >> nonce=1424448664069:b6ed9add48830631ae90ad27cfcb5c5e, >> uri=/TTXml-1.6/Dispatcher/Search/Package/RegionList, >> qop=auth, >> nc=00000001, >> cnonce=9b2ff1ce6900217dd6be667aa6f99e12, >> response=4e35b40dd4ba7d62cd6123d9adebc046, >> opaque=pcyalPBREdBtyQHIHRxOQPgGANZiOjeW >> >> >> Authorization: Digest username=foofoo, >> realm=traveltainment, >> nonce=1424449896135:5fa18cec34de1a15d8ce2a36df77bd6a, >> uri=/TTXml-1.6/Dispatcher/Search/Package/RegionList, >> qop=auth, >> nc=00000001, >> cnonce=5be8fce766d843e8ea29936b73ed94c7, >> response=3757d8fb6cfc4c997030541c58e72d61, >> opaque=pcyalPBREdBtyQHIHRxOQPgGANZiOjeW >> >> (2) Authentication sent by JMeter, successfully (please note the "algorithm" >> field; also note the much shorter cnonce): >> >> User-Agent: Apache-HttpClient/4.2.6 (java 1.5) >> >> Autorization: Digest username="foofoo", >> realm="traveltainment", >> nonce="1424448476861:032a9011541d271a429d737844ec860a", >> uri="/TTXml-1.6/Dispatcher/Search/Package/RegionList", >> response="df6416855e49a0f28cff8020c30ad3a7", >> qop=auth, >> nc=00000001, >> cnonce="c4b43ae817866fb5", >> algorithm="MD5", >> opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW" >> >> Authorization: Digest username="foofoo", >> realm="traveltainment", >> nonce="1424450034667:82c9d9977a208442a7926a948e163e45", >> uri="/TTXml-1.6/Dispatcher/Search/Package/RegionList", >> response="74712ad74209c954bfb6e545b5f8670b", >> qop=auth, >> nc=00000001, >> cnonce="788dbfb1ed7a77ef", >> algorithm="MD5", >> opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW" >> >>