HTTPCredentials not according to HTTP spec

[aleks-f]

From forum:

HTTPCredentials not according to HTTP spec
Postby JoeF » Mon Jun 23, 2014 9:33 pm

Hello,

It seems as if HTTPCredentials only supports one scheme and authinfo.
However, the HTTP spec RFC 2616 allows multiple WWW-authenticate headers and/or multiple challenges.
See https://www.ietf.org/rfc/rfc2616.txt
"14.47 WWW-Authenticate

The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at
least one challenge that indicates the authentication scheme(s) and
parameters applicable to the Request-URI.

WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge

The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [43]. User
agents are advised to take special care in parsing the WWW-
Authenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of
authentication parameters."

Only looking at the first WWW-Authenticate header would cause Poco to fail when a server, e.g., on a Microsoft OS, sends one of its proprietary schemes (e.g., NTLM) as first entry and Basic or Digest scheme as additional challenges.

[obiltschnig]

Given that multiple challenges in a single WWW-Authenticate header are insufficiently specified and most browsers cannot handle it anyway (see http://greenbytes.de/tech/tc/httpauth/#multibasicunknown2), we'll only support multiple WWW-Authenticate headers, each containing a single challenge.