Cordial thanks, Christian, for the prompt reaction! It is a pity that I cannot
make the test now, as I am at home where I have no access to the service in
question. The test will be the first thing to do Monday morning - looking
forward to it, and I shall report immediately!
Cheers,Hans-Juergen
Christian Grün <christian.gr...@gmail.com> schrieb am 19:17 Freitag,
20.Februar 2015:
Yet another update: I added the missing quotes in the client request.
It didn't make a difference with the browsers I tried, but it might
make a difference with other applications..
The new snapshot [1] is available since appr. four seconds,
Christian
[1] http://files.basex.org/releases/latest/
On Fri, Feb 20, 2015 at 6:43 PM, Christian Grün
<christian.gr...@gmail.com> wrote:
> Hi Hans-Jürgen,
>
> Thanks for the in-depth feedback on our client-side digest
> authentication. I have now included the algorithm in the client
> request (I thought the value was optional [1], but this may well be
> wrong). The length of the cnonce string shouldn't matter (..I
> think..).
>
> Could you please try the latest snapshot [2] and see if your server
> accepts the sent requests? If it doesn't, it may be the missing
> quotes..
>
> Thanks in advance!
> Christian
>
> [1] http://en.wikipedia.org/wiki/Digest_access_authentication#Overview
> [2] http://files.basex.org/releases/latest
>
>
>
> On Fri, Feb 20, 2015 at 5:40 PM, Hans-Juergen Rennau <hren...@yahoo.de> wrote:
>> Dear BaseX team,
>>
>> I have problems to get the http:send-request going when using Digest
>> authentication. I get a response as if the password were wrong, although I
>> think it isn't.
>>
>> Request:
>> <http:request method='post' send-authorization='true'
>> username='foofoo' password='secret' auth-method="Digest">
>> <http:body media-type='text/xml'
>> method='xml'>{$useMsg}</http:body>
>> </http:request>
>>
>> Response:
>> <http:response xmlns:http="http://expath.org/ns/http-client";
>> status="401" message="Unauthorized">
>> <http:header name="Server" value="Apache/2.2.22 (Ubuntu)"/>
>> <http:header name="WWW-Authenticate" value="Digest
>> realm="traveltainment", qop="auth",
>> nonce="1424448664077:8d932e72fb644113f4fb1a76f942cf1d",
>> opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW""/>
>> <http:header name="Connection" value="close"/>
>> <http:header name="Vary" value="Accept-Encoding"/>
>> <http:header name="Content-Length" value="954"/>
>> <http:header name="Date" value="Fri, 20 Feb 2015 16:11:04 GMT"/>
>> <http:header name="Content-Type" value="text/html;charset=utf-8"/>
>> </http:response>
>>
>> Interestingly, a JMeter test using the same URL, user name and password
>> works correctly. (I used copy & paste to transfer the credentials from the
>> JMeter GUI into the XQuery code, and the credentials are just what some
>> documentation tells me; tried of course also typing them in manually.)
>>
>> Using WireShark, I observed the messages sent by JMeter and BaseX,
>> respectively. BaseX does send two requests, as it is supposed to do; but the
>> authorization data sent by the second one are in two respects different from
>> the data sent by JMeter: JMeter sends a field: algorithm="MD5", which BaseX
>> does not, and the cnonce is much longer. (See below for the authorization
>> strings.)
>>
>> I use Java 8, and I suspect the problem is connected with that. I heard
>> rumours that Digest authentication with Java 8 might require a little
>> adaptation of the code. Did you try the module using Java8?
>>
>> Cheers,
>> Hans-Juergen
>>
>> PS:
>> (1) Authentication sent by BaseX, failing:
>>
>> User-Agent: Java/1.8.0_31
>>
>> Authorization: Digest username=foofoo,
>> realm=traveltainment,
>> nonce=1424448664069:b6ed9add48830631ae90ad27cfcb5c5e,
>> uri=/TTXml-1.6/Dispatcher/Search/Package/RegionList,
>> qop=auth,
>> nc=00000001,
>> cnonce=9b2ff1ce6900217dd6be667aa6f99e12,
>> response=4e35b40dd4ba7d62cd6123d9adebc046,
>> opaque=pcyalPBREdBtyQHIHRxOQPgGANZiOjeW
>>
>>
>> Authorization: Digest username=foofoo,
>> realm=traveltainment,
>> nonce=1424449896135:5fa18cec34de1a15d8ce2a36df77bd6a,
>> uri=/TTXml-1.6/Dispatcher/Search/Package/RegionList,
>> qop=auth,
>> nc=00000001,
>> cnonce=5be8fce766d843e8ea29936b73ed94c7,
>> response=3757d8fb6cfc4c997030541c58e72d61,
>> opaque=pcyalPBREdBtyQHIHRxOQPgGANZiOjeW
>>
>> (2) Authentication sent by JMeter, successfully (please note the "algorithm"
>> field; also note the much shorter cnonce):
>>
>> User-Agent: Apache-HttpClient/4.2.6 (java 1.5)
>>
>> Autorization: Digest username="foofoo",
>> realm="traveltainment",
>> nonce="1424448476861:032a9011541d271a429d737844ec860a",
>> uri="/TTXml-1.6/Dispatcher/Search/Package/RegionList",
>> response="df6416855e49a0f28cff8020c30ad3a7",
>> qop=auth,
>> nc=00000001,
>> cnonce="c4b43ae817866fb5",
>> algorithm="MD5",
>> opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW"
>>
>> Authorization: Digest username="foofoo",
>> realm="traveltainment",
>> nonce="1424450034667:82c9d9977a208442a7926a948e163e45",
>> uri="/TTXml-1.6/Dispatcher/Search/Package/RegionList",
>> response="74712ad74209c954bfb6e545b5f8670b",
>> qop=auth,
>> nc=00000001,
>> cnonce="788dbfb1ed7a77ef",
>> algorithm="MD5",
>> opaque="pcyalPBREdBtyQHIHRxOQPgGANZiOjeW"
>>
>>
