On Tue, Apr 19, 2011 at 6:27 PM, Sai Pullabhotla <[email protected]> wrote: > Just wanted to address the comment made by Niklas that a password > should always be required: > > Just reading back the RFC 4217, and found this: > > Note 2: The PASS command might not be required at all (if the USER > parameter and any client identity presented provide sufficient > authentication). The server would indicate this by issuing a '232' > reply to the USER command instead of the '331', which requests a PASS > from the client (see below). > > So, it looks like we now do have a standard.
Good find! I still haven't gotten around to reviewing the patch, but having this spec makes me think we can include this in 1.1.x. For 1.1.x we need to maintain backwards compatibility. Perhaps if on calling authenticate on USER, if it throws FtpException (and not AuthenticationFailedException) or a RuntimeException, we treat that as authentication not supported and requires PASS. Or, we need a new interfaces. /niklas
