Last Comment Bug 44041 - WWW-Authenticate: compatability w/ multiple lines
: WWW-Authenticate: compatability w/ multiple lines
[nsbeta3+] r/a=gagan
: testcase
Product: Core
Classification: Components
Component: Networking: HTTP (show other bugs)
: Trunk
: All All
P3 blocker (vote)
: M18
Assigned To: Gagan
: Patrick McManus [:mcmanus]
: 48047 48469 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2000-06-27 19:54 PDT by Brian Hunt
Modified: 2003-05-24 22:33 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

This patch causes mozilla to look at multiple WWW-Auth headers and then use the first it can handle (5.51 KB, patch)
2000-07-09 00:01 PDT, justin
no flags Details | Diff | Splinter Review

Description User image Brian Hunt 2000-06-27 19:54:35 PDT
In General: When attempting to connect to this web page using other browsers
(NS, IE), the authentication works fine.

Mozilla: Nothing happens.  The server is IIS/4 with (basic) BASE64
authentication.  This link is only temporary, but I may be able to provide a
replacement when this one goes inside a DMZ (thus you won't be able to connect
to it anyway) this week.  STDERR receives "Error loading URL" but nothing more.

I didn't trace the packets, but if someone things it would be helpful, it can be
done.  This bug was marked as a blocker since Beta2 shouldn't go out unless Moz
can authenticate with BASE64/IIS. (if that turns out to be an isolation of the
problem; I'm speculating a bit)  There might be more to this than I comprehend -
feel free to fill me in on why this wouldn't work. :)  (although it does work in
Comment 1 User image Mitchell Stoltz (not reading bugmail) 2000-06-28 10:44:23 PDT
Reassigning to networking and Gagan.
Comment 2 User image rcummins 2000-06-29 21:38:06 PDT
HTTP header for is:

HEAD /mast_xr HTTP/1.0

HTTP/1.1 401 Access Denied
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
Content-Length: 644
Content-Type: text/html

The "WWW-Authenticate: NTLM" seems to be throwing Mozilla, it doesn't even try
to render the page much less ask for username/password. I suspest "NTLM" is not
a valid value, since multiple valid "WWW-Authenticate"s seem to work. Was able
to duplicate the problem on Win95 build 2000062914, and on another web server at - NC 4.72 handles this "correctly" - or
at least it handles it gracefully.
Comment 3 User image Eliot Landrum 2000-07-03 16:34:53 PDT
Confirmed on Linux 2000070308.

Tried the URL with a trailing slash and without.

I do not get an error on STDERR:

Document: Done (0.851 secs)
Document loaded successfully

Document: Done (1.024 secs)
Document loaded successfully

Yet no dialog or content.
Comment 4 User image justin 2000-07-05 22:31:05 PDT
I don't believe mozilla considers multiple WWW-Authenticate lines.
It just takes the first, which isn't the proper RFC behavior.
I've recently done some work in the area, so I'll fix this soon.
Comment 5 User image justin 2000-07-09 00:01:05 PDT
Created attachment 11155 [details] [diff] [review]
This patch causes mozilla to look at multiple WWW-Auth headers and then use the first it can handle
Comment 6 User image justin 2000-07-09 00:10:33 PDT
This bug was the result of mozilla's incomplete handling of www-auth headers.
It didn't consider the possibility of multiple headers being sent by the server.

I've fixed this (in the above patch), so that it goes through each header, in 
the order received (as per RFC specification), and sees if there's an auth 
service for each type.

This makes both Brian Hunt and rcummins example URLs work fine now (it falls 
through to the Basic auth type).

Also, while I was in the neighborhood, I changed the password prompt message to 
make it work like 4.x did. For example, mozilla was prompting with:

"Enter username for ${WWW-Authenticate header value}"

It now prompts with:

"Enter username for ${realm} at ${host}"

Comment 7 User image justin 2000-07-09 00:16:51 PDT
Oh, btw, that patch applies in netwerk/protocol/http/src
Comment 8 User image Peter ``jag'' Annema 2000-07-29 16:01:22 PDT
I'm seeing this on Win 95, 2000-07-28-08-M18, and from the type of code 
suspecting this is All All, so marking so.

Adding a few keywords. No need to let this rot away. At first glance the patch 
looks okay but someone more appropriate will have to provide the r=.
Comment 9 User image Gagan 2000-07-31 23:54:09 PDT
nominating and recommending a plus.
Comment 10 User image Gagan 2000-08-07 13:25:29 PDT
Comment 11 User image justin 2000-08-21 17:39:14 PDT
I just noticed this has approval and review keywords.
Does that mean I can land it? If so, who do I list for r=/a=?
Comment 12 User image Peter ``jag'' Annema 2000-08-21 17:50:17 PDT
Actually, review and approval keywords mean that they're desired. They should be
taken off the keywords list once done / granted. Also, (the request for)
approval shouldn't be up there until the review has been done. My mistake and
Comment 13 User image Gagan 2000-08-25 16:55:59 PDT
ok justin, r/a=gagan 
go for it! and thanks! :)
Comment 14 User image Gagan 2000-09-10 23:23:19 PDT
fix checked in.
Comment 15 User image Gagan 2000-09-10 23:24:52 PDT
*** Bug 48047 has been marked as a duplicate of this bug. ***
Comment 16 User image Paul Wyskoczka 2000-09-12 08:03:42 PDT
Updating QA Contact to
Comment 17 User image John Unruh 2000-09-12 11:13:51 PDT
Verified fixed. 
Comment 18 User image Yrjänä Rankka 2000-09-25 04:11:02 PDT
Choosing the first authentication method you can handle is a step into the right
direction, but still not how it should be. I believe the rfc states that one
should always choose the method providing strongest security that the client
implements. i.e. if we know how to do basic and digest and the response headers
contain both challenges for basic and digest, we should choose to use digest,
regardless of order in which the challenges are presented.
Comment 19 User image Steffen Pietsch 2000-10-20 02:00:06 PDT
here: Win98, Mozilla M18 from 20001010

Following URL request 2 authenticate header.
  1. digest auth
  2. basic auth

After applying the user/pw:  "test"  "test"  (without the quotes)
shows which authentication scheme was used.

!! Mozilla does not take the first (digest) but only the second (basic) !!
(Or ist the digest-patch from june not yet in M18??)
Comment 20 User image John Unruh 2000-10-20 09:18:44 PDT
Steffen and yrjana - please open a new bug based upon your last comments that 
the most secure method should be used. I'm leaving this one as verified fixed, 
since the original bug is fixed - "Unable to enter basic authentication"
Comment 21 User image justin 2000-10-20 21:24:01 PDT
Steffen: The Digest auth code is not in; that's mostly my fault, as I have not
updated my patch (for Digest auth) for the changes I made to fix this bug
(support for multiple WWW-Auth lines).

Junruh and Yrjänä: The current implementation for handling multiple www-Auth
lines is correct. The RFC says the the client should use methods in the order
listed by the server, not that the client should determine the most secure
method and use that. This makes sense as 1) the server should be capable of
ordering by security and 2) the server may prefer one particular method over
another with similar (or even slightly more) security, such as an NT ISS box
wanting NTLM before Digest auth.

The relevant bit from RFC 2068 (aka HTTP/1.1):

   15.2 Offering a Choice of Authentication Schemes

   An HTTP/1.1 server may return multiple challenges with a 401
   (Authenticate) response, and each challenge may use a different
   scheme.  The order of the challenges returned to the user agent is in
   the order that the server would prefer they be chosen. The server
   should order its challenges with the "most secure" authentication
   scheme first. A user agent should choose as the challenge to be made
   to the user the first one that the user agent understands.

Comment 22 User image benc 2001-06-04 07:27:18 PDT
Comment 23 User image justin 2001-09-03 18:10:26 PDT
The issue of choosing an appropriate authentication mechanism came up
in the digest auth bug discussion, and I was about to point out that
the RFC says follow the server's order, not make the client decide.
Well, in fact, it says both. Here are the two relevant sentences from 
RFC2068, both in section 15.2, separated by a mere paragraph:

"A user agent should choose as the challenge to be made
 to the user the first one [in the server's order] that the 
 user agent understands."


"For this reason, the client should always use the strongest 
 scheme that it understands from the choices accepted."

Of course, the second one only applies to man-in-the-middle attacks,
and if there is a man in the middle, he can just remove all but
Basic auth headers, so it doesn't help. Considering that, I believe
it's still best to use the server order, since a site might prefer
some wacky alternative (NTLM) and using something else (Digest) might
hinder the client's abilities in their system.
Comment 24 User image An-Cheng Huang 2001-09-03 20:52:31 PDT
Actually, RFC 2068 is obsoleted by 2616, which doesn't mention this any more.
Instead, section 15.2 of RFC 2068 is now sections 4.6 & 4.8 of RFC 2617,
which says "MUST choose the strongest" (no conflicting statements).

However, I agree that this doesn't help much with the MITM problem (a better
solution is to disable "insecure" schemes such as Basic).  Also it involves 
problems such as ranking the strength of the authentication schemes (well,
is Digest "stronger" than NTLM?).  And lastly, there isn't anything other 
than Basic at the moment anyway.  So maybe this can wait until Mozilla 
supports multiple authentication schemes.
Comment 25 User image Brian Hunt 2002-01-22 04:41:52 PST
I am not entirely sure this has been fixed.  When encountering a web page with

WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""

Mozilla seems to default as broken, never attempting basic auth.  I am not sure
if the problem is related to the fix applied here, but this seemed like a good
place to start.

Note: the web server once used for testing is now offline.
Comment 26 User image Brian Hunt 2002-01-22 05:06:03 PST
Apologies for the spam.

I have confirmed that this is a problem with the debian binary for Mozilla, and
a bug report is being sent upstream.  (In my own defense, 3 versions of Mozilla
were tested, cvs, 0.9.7 and 0.9.5, where only 0.9.5 worked; all on debian.)

Remarking as closed.
Comment 27 User image John Unruh 2002-01-24 10:42:07 PST
Verified per reporter's comment.
Comment 28 User image benc 2002-12-14 08:30:03 PST
John: can you send Tom the test server URL that you verified? Are there public
servers using NTLM? I want to add that to our test suites.
Comment 29 User image John Unruh 2002-12-16 09:41:23 PST
I verified this based on the reporter's comment, as stated directly above. If
this is not a dupe of another bug or should be reopened, please do so. Also, I
don't know of any public servers using NTLM.
Comment 30 User image benc 2003-04-28 18:13:12 PDT
I've got this working internally now, so it is part of our HTTP testcases.
Comment 31 User image benc 2003-05-24 22:33:15 PDT
*** Bug 48469 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.