Solved

WWW-Authenticate and getFieldHeaders

Posted on 2004-08-12
16
651 Views
Last Modified: 2008-02-01
per RFC 2068
================================================
14.46 WWW-Authenticate

   The WWW-Authenticate response-header field MUST be included in 401
   (Unauthorized) response messages. The field value consists of at
   least one challenge that indicates the authentication scheme(s) and
   parameters applicable to the Request-URI.

          WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge

   The HTTP access authentication process is described in section 11.
   User agents MUST take special care in parsing the WWW-Authenticate
   field value if it contains more than one challenge, or if more than
   one WWW-Authenticate header field is provided, since the contents of
   a challenge may itself contain a comma-separated list of
   authentication parameters.
================================================
getHeaderFields
public Map getHeaderFields()Returns an unmodifiable Map of the header fields. The Map keys are Strings that represent the response-header field names. Each Map value is an unmodifiable List of Strings that represents the corresponding field values.

Now per definition of  Map "An object that maps keys to values. A map cannot contain duplicate keys; each key can map to at most one value. " How does this fit in with the permissible duplicate values of "WWW-Authenticate". But getHeaderFields does allow duplicate values? How do I interpret this and what is recommended in detecting the duplicate keys?
0
Comment
Question by:danths
  • 6
  • 6
  • 4
16 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 11788708
The first off-the-cuff suggestion is there are no duplicates, but the values of the challenge can be a delimited list
0
 
LVL 92

Expert Comment

by:objects
ID: 11788786
See getHeaders method:

public java.util.Enumeration getHeaders(java.lang.String name)Returns all the values of the specified request header as an Enumeration of String objects.
Some headers, such as Accept-Language can be sent by clients as several headers each with a different value rather than sending the header as a comma separated list.

If the request did not include any headers of the specified name, this method returns an empty Enumeration. The header name is case insensitive. You can use this method with any request header.

Parameters:
name - a String specifying the header name
Returns:
an Enumeration containing the values of the requested header. If the request does not have any headers of that name return an empty enumeration. If the container does not allow access to header information, return null
0
 
LVL 6

Author Comment

by:danths
ID: 11788792
There are duplicates keys for WWW-Authenticate and it is legal as per the rfc. I could confirm that interating thru each headerfield using getHeaderField(i) but if I use getHeaderFields only the first pair is returned. So does that mean that I cannot use getHeaderFields?
0
 
LVL 92

Expert Comment

by:objects
ID: 11788802
> but if I use getHeaderFields only the first pair is returned.
> So does that mean that I cannot use getHeaderFields?

correct
0
 
LVL 6

Author Comment

by:danths
ID: 11788884
what's the workaround?
More info:-


using getHeaderFields:-
HttpHeaderKeys: [X-Powered-By, X-AspNet-Version, null, Date, Server, Content-Type, Cache-Control, WWW-Authenticate]
HttpHeaderValues: [[ASP.NET], [1.1.4322], [HTTP/1.1 401 Unauthorized], [Thu, 12 Aug 2004 21:34:47 GMT], [Microsoft-IIS/5.0], [text/plain], [private], [Digest realm="xxx@xxx.com",nonce="64cca617efcc2946fee57e458d53da10",opaque="b2590191-c61a-47bc-9d50-749e8722eae2",qop="auth", Basic realm="xxx@xxx.com"]]
 
usingGetHeaderField:-
Key: Server Value: Microsoft-IIS/5.0
.Key: Date Value: Thu, 12 Aug 2004 21:34:47 GMT
Key: X-Powered-By Value: ASP.NET
...Key: X-AspNet-Version Value: 1.1.4322
Key: WWW-Authenticate Value: Basic realm="xxx@xxx.com"
Key: WWW-Authenticate Value: Digest realm="xxx@xxx.com",nonce="64cca617efcc2946fee57e458d53da10",opaque="b2590191-c61a-47bc-9d50-749e8722eae2",qop="auth"
Key: Cache-Control Value: private
Key: Content-Type Value: text/plain
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 11788886
iow, set WWW-Authenticate as a list of delimited values, as i mentioned
0
 
LVL 6

Author Comment

by:danths
ID: 11788909
That's for the server to do, not the client which Iam working on? Why should the server do if its in compliance with RFC. I don't have control on the server.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 11788926
>>That's for the server to do,

Well it wasn't quite clear originally whether you were looking at this from client or server perspective

If you're looking from client, then presumably you can parse delimited variables
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 92

Expert Comment

by:objects
ID: 11788933
Sorry ignore my previous comments, too early in the morning.

The Map returned by getHeaderFields() should comntain a list of values if >1 exists.
0
 
LVL 92

Expert Comment

by:objects
ID: 11788986
"Each Map value is an unmodifiable List of Strings that represents the corresponding field values. "
0
 
LVL 6

Author Comment

by:danths
ID: 11788987
That's my point isn't it true that per definition of  Map "An object that maps keys to values. A map cannot contain duplicate keys; each key can map to at most one value. " So theoritically the key contains just one value. Or should I interpret that the value is still one seperated by a comma?
0
 
LVL 92

Accepted Solution

by:
objects earned 500 total points
ID: 11789005
Yes a Map can contain only one value/object, and in the case of multiple values being present then that one value is a list. You can then get the individual values from that list.

0
 
LVL 6

Author Comment

by:danths
ID: 11789015
Yeah! got it, sorry late in the day. Somehow was missing the keyword "List".

Thanks for your help.
0
 
LVL 92

Expert Comment

by:objects
ID: 11789022
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 11791100
danths, can you tell me how the 'answer' you accepted differs in substance from what i was saying all along?
0
 
LVL 6

Author Comment

by:danths
ID: 11792140
CEHJ, even though you were close you weren't on the target.

Comment #1: "The first off-the-cuff suggestion is there are no duplicates, but the values of the challenge can be a delimited list"

Before this post I explicitly stated that as per RFC the header "WWW-Authenticate" could be duplicate and so your comment was wrong. "but the values of the challenge can be a delimited list" this was also in the RFC and so there's no ambiguity and just was repetion of the premise.  So this comment didn't help me in reaching a solution.

Comment #2: "iow, set WWW-Authenticate as a list of delimited values, as i mentioned".

This was right after I had posted the client headers. Still I will give benefit of doubt since your and my comment were posted at exactly the same time. As I had previously mentioned I could not set the header, the server does it and my client just needs to read it. So this comment didn't help me in reaching a solution.

Comment #3: "If you're looking from client, then presumably you can parse delimited variables"

This was a bit off the target as well since I don't have to explicitly parse the variables.
getHeaderField("WWW-Authenticate") returns a string and so only the first pair is considered valid.
getHeaderFields returns a map it automatically iterates thru all the headers finds duplicates and if duplicate keys are found automatically adds all the value to a list and so

a: XXX
b: YYY
a: ZZZ

becomes
a: XXX,ZZZ
b: YYY

and since a "MAP" [a] has a value of list with [XXX] and [YYY] in the list.

This was explicitly stated by "objects" later in the thread even though he was way off in the beginning of the thread. If you still feel that the points were unfairly awarded, pls report it to a moderator and I will abide by his/her suggestions.

Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

For customizing the look of your lightweight component and making it look lucid like it was made of glass. Or: how to make your component more Apple-ish ;) This tip assumes your component to be of rectangular shape and completely opaque. (COD…
After being asked a question last year, I went into one of my moods where I did some research and code just for the fun and learning of it all.  Subsequently, from this journey, I put together this article on "Range Searching Using Visual Basic.NET …
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now