Subject: Re: [htdig3-dev] Authorization question
From: Geoff Hutchison (firstname.lastname@example.org)
Date: Sun Dec 05 1999 - 07:44:47 PST
At 3:06 PM +0200 12/5/99, Vadim Chekan wrote:
>A need an advise. I'm going to commit:
>* htdig/Document.cc htdig/htdig.cc: "-u" parameter removed from
>htdig, "authorization" parameter in config is added and is
>new config compatible. New code has'n got PR#490 bug
>(don't authentificate robot.txt)
>1. Is it ok to remove htdig's "-u" options?
Maybe we should keep it for a while and mention that it's being
depreciated. So -u would have the same effect on authorization: as -h
has on max_hop_count:
>2. What shold be htdig's behavior with the "authorization:" defined
>globally? Should htdig pass
>Authorization: Basic xxxxxxxxxxxxx
>line for each url, or only for those which need authorization?
Right now it passes it for each URL, but I think this isn't a great
idea. The RFC states:
A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of
the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
So we should ideally wait until we need authorization, then any URLs
below that can just send the Authorization header. If you know how to
implement this, great. (I guess after getting a denied response, it
could set a new URL dependent authorization config.)
To unsubscribe from the htdig3-dev mailing list, send a message to
You will receive a message to confirm this.
This archive was generated by hypermail 2b28 : Sun Dec 05 1999 - 07:57:59 PST