To clarify, what is implementing the HTTP Digest Authentication? Is it your WSGI application, or are you using Apache with some sort of user database that Apache is directly accessing, or are you using ability of mod_wsgi to be an auth provider for Apache doing the HTTP Digest Authentication as per:
http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms Know who is generating the WWW-Authenticate header will help to understand the problem. If your WSGI application, what Python toolkit are you using to implement digest authentication mechanism? Graham 2009/1/19 Johan <[email protected]>: > > I have a functioning DAA implementation as part of my wsgi app. > Everything works perfectly, EXCEPT: > > Firefox ignores the "domain" field, a part of the "WWW-Authenticate" > header. > > The uri "/home" when accessed by a client initiates the > authentication. > The following response body links to media at "/sys/files". What I > want > is for the authenticated session to "tick" ONLY when anything from > "/home" is being accessed, but I don't want every request to "/sys" or > anything else for that matter to recieve the "Authorization" header. > I've studied RFC 2617 (blech) and googled about like a madman to no > avail. Here's the header exchange which demonstrates the problem: > > GET /home HTTP/1.1 > Host: 192.168.10.1 > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: > 1.9.0.5) > Gecko/2008123017 GranParadiso/3.0.5 > Accept: text/html,application/xhtml > +xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache > > HTTP/1.x 401 Unauthorized > Date: Sun, 18 Jan 2009 01:09:19 GMT > Server: Apache/2.2.9 (Debian) mod_wsgi/2.3 Python/2.5.2 > WWW-Authenticate: Digest realm="[email protected]", domain="/ > home", > qop="auth", nonce="0cb08fa15f0fd59f372cc024f9b0d291", > opaque="be2c6a51ff6cc54a607aab46e6b6f408" > Vary: Accept-Encoding > Content-Encoding: gzip > Keep-Alive: timeout=15, max=99 > Connection: Keep-Alive > Transfer-Encoding: chunked > Content-Type: text/plain > > GET /home HTTP/1.1 > Host: 192.168.10.1 > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: > 1.9.0.5) > Gecko/2008123017 GranParadiso/3.0.5 > Accept: text/html,application/xhtml > +xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Pragma: no-cache, no-cache > Cache-Control: no-cache, no-cache > Authorization: Digest username="johan", > realm="[email protected]", > nonce="0cb08fa15f0fd59f372cc024f9b0d291", uri="/home", > response="68fce728eb5f1cc04e43a8b1a5f19a80", > opaque="be2c6a51ff6cc54a607aab46e6b6f408", qop=auth, > nc=00000001, cnonce="1591d58dc97956dc" > > HTTP/1.x 200 OK > Date: Sun, 18 Jan 2009 01:09:24 GMT > Server: Apache/2.2.9 (Debian) mod_wsgi/2.3 Python/2.5.2 > Vary: Accept-Encoding > Content-Encoding: gzip > Keep-Alive: timeout=15, max=98 > Connection: Keep-Alive > Transfer-Encoding: chunked > Content-Type: text/html > > GET /sys/files/prototype.js HTTP/1.1 > Host: 192.168.10.1 > User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: > 1.9.0.5) > Gecko/2008123017 GranParadiso/3.0.5 > Accept: */* > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: http://192.168.10.1/home > Authorization: Digest username="johan", > realm="[email protected]", > nonce="0cb08fa15f0fd59f372cc024f9b0d291", > uri="/sys/files/prototype.js", > response="3734368c5159a4b4c4b546b375e65055", > opaque="be2c6a51ff6cc54a607aab46e6b6f408", qop=auth, > nc=00000002, cnonce="4ceeed47b224b8b9" > Pragma: no-cache > Cache-Control: no-cache > > HTTP/1.x 200 OK > Date: Sun, 18 Jan 2009 01:09:24 GMT > Server: Apache/2.2.9 (Debian) mod_wsgi/2.3 Python/2.5.2 > Content-Length: 124000 > Keep-Alive: timeout=15, max=100 > Connection: Keep-Alive > Content-Type: text/x-c; charset=utf-8 > > Firefox's third request clearly contains the "Authorization" header > despite the requested uri clearly being outside of the "domain" > decleared in "WWW-Authenticate". What gives? This crap happens even if > I'm accessing http://192.168.10.1/sys/files/water.jpg in a separate > tab > directly and thus not providing the "Referer" header. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en -~----------~----~----~----~------~----~------~--~---
