Closed GoogleCodeExporter closed 8 years ago
Hello, I would like to vote for this as well. By coincidence, I am currently
working on a Django app that will send two WWW-Authenticate headers (HTTP basic
and HTTP digest) to allow the client to choose the method it supports. This has
worked fine with other WSGI servers, but have not tested yet with mod_wsgi. Of
course, I do use mod_wsgi, so I will require this feature as well.
I tested using a combined header and found many clients were not up to spec and
expected separate WWW-Authenticate headers.
Original comment by btimby@gmail.com
on 28 Oct 2011 at 2:02
The repository trunk for mod_wsgi 4.0 has been changed to split up the combined
WWW-Authenticate returned by daemon process back into separate headers.
Original comment by Graham.Dumpleton@gmail.com
on 24 Nov 2011 at 10:18
Original comment by Graham.Dumpleton@gmail.com
on 19 Mar 2012 at 10:23
cURL (7.21 and 7.27) and Chrome both fail with multiple WWW-Authenticate
headers. I used python urllib2, which worked fine. I am using Django app, who
http server also sent merged WWW-Authenticate headers. cURL worked for with
Django http server but fails with Apache2/mod_wsgi because of multiple
WWW-Authenticate headers.
Original comment by rishikul...@gmail.com
on 16 Jan 2013 at 11:46
Fail scenario:
< HTTP/1.1 401 UNAUTHORIZED
< Date: Wed, 16 Jan 2013 09:06:59 GMT
< Server: Apache/2.2.22 (Ubuntu)
< WWW-Authenticate: Digest
nonce="1358327219.4:DF88:c76a6bc2f76901c1c66ba6cf602b72ce"
< WWW-Authenticate: realm="django-tastypie"
< WWW-Authenticate: algorithm="MD5"
< WWW-Authenticate: opaque="7b2c09d74a75652b109436e2afa361684f5998c4"
< WWW-Authenticate: qop="auth"
< WWW-Authenticate: stale="false"
< Vary: Accept-Encoding
< Content-Length: 0
< Content-Type: text/html; charset=utf-8
Success Scenario:
< HTTP/1.0 401 UNAUTHORIZED
< Date: Wed, 16 Jan 2013 10:39:24 GMT
< Server: WSGIServer/0.1 Python/2.7.3
< Content-Type: text/html; charset=utf-8
< WWW-Authenticate: Digest
nonce="1358332764.43:CA20:a28d8a3ecb5ced0149ca32c851b7a773",
realm="django-tastypie", algorithm="MD5",
opaque="c1eb329e445ff3756bff7e53594117829ad95537", qop="auth", stale="false"
<
Original comment by rishikul...@gmail.com
on 16 Jan 2013 at 11:51
The fix was back ported to mod_wsgi 3.4 already. Presumably you are on an older
version. Upgrade your mod_wsgi to 3.4.
Original comment by Graham.Dumpleton@gmail.com
on 16 Jan 2013 at 9:43
I am using mod_wsgi 3.4. The problem I am reporting is that the 3.4 is not
merging WWW-Authenticate headers which is expected by cURL or Chrome. What are
you suggestions for working around this issue?
Original comment by rishikul...@gmail.com
on 17 Jan 2013 at 6:40
Go back to use mod_wsgi 3.3. Didn't read the data you dumped up properly.
The problem you are having is caused by this change, not that you are missing
it.
The simplistic approach the change took of just splitting on commas actually
turns out to be wrong and will break Digest authentication header. The parsing
to work out where to split is actually going to be rather complicated, so may
have to reengineer code to duplicate some stuff Apache does to avoid it doing
the merge it does in the first place.
No solution right now except to use older mod_wsgi version.
Original comment by Graham.Dumpleton@gmail.com
on 18 Jan 2013 at 2:57
This is fixed properly for 4.1.0, with original headers being passed back as
originally set by the WSGI application, avoiding any merging Apache does.
Original comment by Graham.Dumpleton@gmail.com
on 23 May 2014 at 2:42
Closing as fixed in subsequent releases.
Original comment by Graham.Dumpleton@gmail.com
on 16 Sep 2014 at 7:41
Original issue reported on code.google.com by
mark.nev...@gmail.com
on 28 Oct 2011 at 11:08Attachments: