You are not logged in.
- Topics: Active | Unanswered
#1 2009-11-28 21:23:29
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
curl and wget: HTTP Digest Authentication
I'm stuck on the following problem.
I've implemented a basic HTTP server in Python using BaseHTTPServer for both voracious and quickserve. I've added options to support HTTP Digest Authentication and this works without any problems in Firefox. The browser connects to the server, gets the 401 response and 'WWW-Authenticate: Digest' headers, and then correctly sends the expected 'Authorization' headers.
curl and wget on the other hand refuse to send the correct headers. Here's are the headers generated without and with the curl's '--digest' option:
quickserve (notice the 'Authorization' header when not specifying '--digest'):
$ quickserve foo -b localhost --username foo --password bar
started httpserver on localhost:8080...
Authorization: Basic Zm9vOmJhcg==
User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3.3
Host: localhost:8080
Accept: */*
localhost.localdomain - - [28/Nov/2009 22:12:01] "GET / HTTP/1.1" 401 -curl:
$ curl -u "foo:bar" http://localhost:8080/ -v
* About to connect() to localhost port 8080 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'foo'
> GET / HTTP/1.1
> Authorization: Basic Zm9vOmJhcg==
> User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Server: BaseHTTP/0.3 Python/2.6.4
< Date: Sat, 28 Nov 2009 21:12:01 GMT
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="localhost.localdomain"
< Connection: close
<
* Closing connection #0quickserve (not with '--digest', it no longer sends the header):
$ quickserve foo -b localhost --username foo --password bar
started httpserver on localhost:8080...
User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3.3
Host: localhost:8080
Accept: */*
localhost.localdomain - - [28/Nov/2009 22:18:53] "GET / HTTP/1.1" 401 -curl:
$ curl -u "foo:bar" http://localhost:8080/ -v --digest
* About to connect() to localhost port 8080 (#0)
* Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Digest with user 'foo'
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3.3
> Host: localhost:8080
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Server: BaseHTTP/0.3 Python/2.6.4
< Date: Sat, 28 Nov 2009 21:19:44 GMT
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="localhost.localdomain"
< Connection: close
<
* Closing connection #0This is probably something simple but I just can't figure it out. What really confuses me is that it works in Firefox.
Any help would be appreciated.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#2 2009-11-29 14:07:57
- lolilolicon
- Member
- Registered: 2009-03-05
- Posts: 1,722
Re: curl and wget: HTTP Digest Authentication
I don't know what the problem is, and this may be helpless, but you may want to try an addon for firefox called Live HTTP Headers, which will show detailed header info so you see what firefox does, you can then analyze or compare it to the curl output.
This silver ladybug at line 28...
Offline
#3 2009-11-29 14:40:22
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: curl and wget: HTTP Digest Authentication
Thanks for the reply, lolilolicon, but I've already checked the Firefox headers and they include the correct 'Authorization' header. I didn't post it because I didn't think it was directly relevant but here are the headers received when authenticating with Firefox:
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091106 Shiretoko/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
localhost.localdomain - - [29/Nov/2009 15:38:07] "GET / HTTP/1.1" 401 -
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091106 Shiretoko/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Digest username="foo", realm="localhost.localdomain", nonce="", uri="/", response="e8801169e74c91afe6942d07124ae669"
ok
localhost.localdomain - - [29/Nov/2009 15:38:13] "GET / HTTP/1.1" 200 -Note that it correctly includes the 'Authorization: Digest ...' header and thus successfully authenticates itself leading to a 200 response.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
#4 2009-11-29 16:00:57
- lolilolicon
- Member
- Registered: 2009-03-05
- Posts: 1,722
Re: curl and wget: HTTP Digest Authentication
Did you try the --anyauth option for curl?
This silver ladybug at line 28...
Offline
#5 2009-11-29 16:08:28
- Xyne
- Administrator/PM
- Registered: 2008-08-03
- Posts: 6,965
- Website
Re: curl and wget: HTTP Digest Authentication
Yeah. It has the same effect as "--digest"... no authentication header is sent.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline