"Uri Cohen" <[EMAIL PROTECTED]> writes:
> Microsoft's Hotmail uses the propietry HTTPMail protocol to allow Outlook Express
>and MSN Messanger to access Hotmail webmail accounts. This is a simple WEBDAV
>(http://www.webdav.org) based protocol which suppose to be an HTTP extension. I work
>in an open source project which uses LWP to access hotmail through this protocol (see
>https://sourceforge.net/projects/httpmail/)
> Recently the login process in hotmail servers was changed in a way that two
>WWW-Authentications are performed during a single LWP::UserAgent 'request'. This has
>broke our LWP::UserAgent based client.
>
> This is summery of the first line of each request and response with additional
>fields in brackets (I hope its clear...):
> 1. PROPFIND /svcs/hotmail/httpmail.asp HTTP/1.1
> HTTP/1.1 302 Object moved (Location: http://oe.hotmail.com/cgi-bin/hmdata)
> 2. PROPFIND /cgi-bin/hmdata HTTP/1.1
> HTTP/1.1 401 Authorization Required (WWW-Authenticate: Digest
>realm="hotmail.com"...)
> 3. PROPFIND /cgi-bin/hmdata HTTP/1.1 (Authorization: Digest
>username="[EMAIL PROTECTED]"...)
> HTTP/1.1 302 Redirected (Location:
>http:[EMAIL PROTECTED]?)
> 4. PROPFIND [EMAIL PROTECTED]? HTTP/1.1
> HTTP/1.1 401 Authorization Required (WWW-Authenticate: Digest
>realm="hotmail.com"...)
> 5. PROPFIND [EMAIL PROTECTED]? HTTP/1.1 (Authorization: Digest
>username="email"...)
> HTTP/1.1 302 Redirected (Location:
>http://loginnet.passport.com/digest.srf?parameters)
> 6. PROPFIND /digest.srf?parameters HTTP/1.1
> HTTP/1.1 401 Unauthorized (WWW-Authenticate: Digest realm="Microsoft
>Passport"...)
> 7. PROPFIND /digest.srf?parameters HTTP/1.1 (Authorization: Digest
>username="email"...)
> HTTP/1.1 302 Redirect to partner (Location:
>http:[EMAIL PROTECTED]?parameters)
> 8. PROPFIND [EMAIL PROTECTED]?parameters HTTP/1.1
> HTTP/1.1 207 Multi-Status (Success!)
>
> LWP::UserAgent does not support such dual authentication proccess: it continues to
>send the same 'Authorization' after redirections and then fails to authenticate to
>the second server since different realm is used.
> In order for LWP::UserAgent to work for this mess I did little patch in 'sub
>request', so that the 'Authorization' is removed after redirections:
> $referral->url($referral_uri);
> $referral->remove_header('Host', 'Cookie', 'Authorization'); # Remove the
>authorization after redirect
> $response->request->{digest_user_pass} = (undef, undef); # Make sure
>LWP::Authen::Digest forget the first authentication
To me it seems like killing the Authorization header on redirect is
the right thing to do. I'm not sure about the {digest_user_pass} part
though. It's not right to mess with it. LWP::Authen::Digest should
just be made smarter about it and do the right thing if we redirect
between machines.
LWP should also store the mapping of realms to URI-space so that it
can fill in the correct Authorization in a way similar to how it deal
with cookies.
Regards,
Gisle
