cURL / Mailing Lists / curl-library / Single Mail


RE: Authentication

From: Daniel Stenberg <>
Date: Wed, 11 Feb 2004 22:07:21 +0100 (CET)

On Wed, 11 Feb 2004, Xiuping Hu wrote:

> [Xiuping Hu] This is the case if you provide a wrong credential through
> proxy to backend.
> 1, c --> p --> s GET ... with credential forwarded
> 2. p <-- s 401 Unauthorized
> WWW-Authenticate: NTLM
> 3. p --> s GET ..
> Authorization: NTLM <base64-encoded Type1 message>
> 4. p <-- s 401 Access Denied..
> WWW-Authenticate: NTLM..
> 5. p --> s GET ..
> Authorization: NTLM <base64-encoded Type1 message>
> 4 <--> 5 endless loop.

I think I've understood how the error appears. I have not understood the
reason for it, and that's why I asked:

   Why isn't ntlm->state already at state NTLMSTATE_TYPE1 when the
   autorization header is set?

The basic principle of the code is that if it has already set the NTLM state
machine into state TYPE1, it should not get another "blank" NTLM header
without it returning CURLNTLM_BAD from Curl_input_ntlm(). You additional
comparison implied that the check wasn't enough. I'm therefore asking you how
it comes it isn't enough.

I'm sorry, but I don't have any servers readily available to speak NTLM with
so I can't easily test these things.

> > 2. How do you expect your fix to work with proxies? We store the
> > autorization header in a different variable and it has different context...

> [Xiuping Hu] This fix stops endless looping in this scenarios, and give the
> backend the chance to fall back to directly send the auth page to client.
> But one thing I can not fix at this time, that is once client receive the
> auth page directly from backend, and enter his/her credential, proxy still
> have no way to get it, and continue using the proxy credential, so
> eventually it fails. How can we fix this issue?

I don't understand the situation. Can you show me a step-by-step list like

> BTW, what you mean store the authorization header in a different variable
> and it has different context? Could you please explain?

conn->allocptr.userpwd only contains the header used for server authentication
(what you call backend), not for proxy authentication.

Also, the header is not "Authorization:" when it is for proxies, it is then

So, if we could instead make the state check work, we wouldn't have to worry
about those details.

    Daniel Stenberg -- --
   [[ Do not send mails to this email address. They won't reach me. ]]
Received on 2004-02-11