On Tue, 7 Oct 2014, Chris Johnson wrote:

> My code's attempts to connect to server are failing with my authentication rejected,
> but I know it's correct as I can connect with other tools.​ I believe I've got my various
> CURLOPTs set correctly, and the exchange looks right until it just goes off the rails.

You didn't include your code so I can't say whether it is correct or not but looking at the log it looks like you're performing a POST request and not a GET - was that intentional?

> From my logs, I see (MD5 has been trashed for privacy) that I send:

Sorry for being pedantic but that's not a MD5 string but rather text that has been Base64 encoded ;-)
 
> POST /EVSEligibilityWebService/spring-ws/EVSEligibility HTTP/1.1
> Authorization: Basic XXkXXTk5NzYwXXXXXXXcnZlcjXXXXXXXXXXXXX==
> Host: mn-its-atst.dhs.state.mn.us
> Accept: */*
> Content-Type: text/plain; charset=utf-8
> Content-Length: 1055
> Expect: 100-continue

Certainly with a GET request I would expect to see the following in your log:

* An initial request for the page or resource that is in your url
* The server will the respond with a 401 and set the appropriate WWW-Authentication headers (listing Basic with the realm option - like the response you received did)
* Your application would then send the request for the resource again, but this time with the Authorization header set with Basic and the Base64 encoded username and password (in the format username:password)
* The server would then respond with the resource you were after if authentication was successful - otherwise it would respond with another 401

However, is authentication handled the same for POST requests? Do you have to perform a GET request first for the authentication to work then once that is successful perform the POST request?

> 2014-10-07 14:44:47 ## Authentication problem. Ignoring this.

If you search the libcurl source code for that string you'll find that it is output when curl has got its authentication state machine in a muddle - ie it's already sent the authentication request and isn't expecting to send it again.

> Shouldn't libcurl respond to the WWW-authenticate: header by resending the
> Authorization: header again?

I'm not 100% sure how POST requests work with authentication so maybe some else can lend a hand and further my explanation ;-)

> Is the server wrong to send that and follow it with an HTML page? Am I maybe
> not seeing the entire picture in the logging from my debug callback?

No... If you think about how a browser handles this when performing a GET request it will receive the mechanism and realm from the WWW-Authenticate header and typically prompt the user to enter their credentials (for Basic and Digest) probably stating the text from the realm in that dialog. Once the user enters those details and clicks "OK" it will then send the second request, continuing to authenticate as outlined above. However, if the user clicks "Cancel" the browser would then typically display the HTML from that response.

I hope this helps and sorry I can't be more specific about POST requests.

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-07