#567 closed enhancement (fixed)
Make authentication modular in http-client
| Reported by: | sjamaan | Owned by: | sjamaan |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | extensions | Version: | |
| Keywords: | authentication, authorization, http-client, intarweb | Cc: | |
| Estimated difficulty: |
Description
Currently basic and digest auth are hardcoded in http-client. As Thomas Hintz pointed out, there are services like Amazon S3 that have their own homebrew (and less secure...) authentication system which re-uses the "authorization" header with a custom scheme.
It would be great if the authentication schemes were extensible so we can cope with those custom schemes without having to add them to a huge pile inside http-client itself. This is not desirable because there may be many of these one-off systems out there, and they're all nonstandard and may even change and disappear over time.
Possibly some of the standard auth stuff can be moved inside intarweb too. Not sure yet.
Change History (2)
comment:1 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 Changed 13 years ago by
Turns out Amazon S3 doesn't even implement RFC 2617 properly; it doesn't send 401 responses; you need to pass the authentication stuff right along with the initial request. If you don't, it just 403s on you.
Amazon, a bunch of professional fools.
Amazon, for all your botched standards.
Amazon, what were they thinking?
Ugh. The authenticators need to know too much about the request/response handling because digest auth is so annoying.
At least it's in now. It really really needs to be cleaned up before it can be considered useful for extension by other eggs. At least now you *can* extend it if you must, if you're brave enough to read the source and figure out how to ;)