[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

WWW-Authenticate and getFieldHeaders

per RFC 2068
================================================
14.46 WWW-Authenticate

   The WWW-Authenticate response-header field MUST be included in 401
   (Unauthorized) response messages. The field value consists of at
   least one challenge that indicates the authentication scheme(s) and
   parameters applicable to the Request-URI.

          WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge

   The HTTP access authentication process is described in section 11.
   User agents MUST take special care in parsing the WWW-Authenticate
   field value if it contains more than one challenge, or if more than
   one WWW-Authenticate header field is provided, since the contents of
   a challenge may itself contain a comma-separated list of
   authentication parameters.
================================================
getHeaderFields
public Map getHeaderFields()Returns an unmodifiable Map of the header fields. The Map keys are Strings that represent the response-header field names. Each Map value is an unmodifiable List of Strings that represents the corresponding field values.

Now per definition of  Map "An object that maps keys to values. A map cannot contain duplicate keys; each key can map to at most one value. " How does this fit in with the permissible duplicate values of "WWW-Authenticate". But getHeaderFields does allow duplicate values? How do I interpret this and what is recommended in detecting the duplicate keys?
0
danths
Asked:
danths
  • 6
  • 6
  • 4
1 Solution
 
CEHJCommented:
The first off-the-cuff suggestion is there are no duplicates, but the values of the challenge can be a delimited list
0
 
objectsCommented:
See getHeaders method:

public java.util.Enumeration getHeaders(java.lang.String name)Returns all the values of the specified request header as an Enumeration of String objects.
Some headers, such as Accept-Language can be sent by clients as several headers each with a different value rather than sending the header as a comma separated list.

If the request did not include any headers of the specified name, this method returns an empty Enumeration. The header name is case insensitive. You can use this method with any request header.

Parameters:
name - a String specifying the header name
Returns:
an Enumeration containing the values of the requested header. If the request does not have any headers of that name return an empty enumeration. If the container does not allow access to header information, return null
0
 
danthsAuthor Commented:
There are duplicates keys for WWW-Authenticate and it is legal as per the rfc. I could confirm that interating thru each headerfield using getHeaderField(i) but if I use getHeaderFields only the first pair is returned. So does that mean that I cannot use getHeaderFields?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
objectsCommented:
> but if I use getHeaderFields only the first pair is returned.
> So does that mean that I cannot use getHeaderFields?

correct
0
 
danthsAuthor Commented:
what's the workaround?
More info:-


using getHeaderFields:-
HttpHeaderKeys: [X-Powered-By, X-AspNet-Version, null, Date, Server, Content-Type, Cache-Control, WWW-Authenticate]
HttpHeaderValues: [[ASP.NET], [1.1.4322], [HTTP/1.1 401 Unauthorized], [Thu, 12 Aug 2004 21:34:47 GMT], [Microsoft-IIS/5.0], [text/plain], [private], [Digest realm="xxx@xxx.com",nonce="64cca617efcc2946fee57e458d53da10",opaque="b2590191-c61a-47bc-9d50-749e8722eae2",qop="auth", Basic realm="xxx@xxx.com"]]
 
usingGetHeaderField:-
Key: Server Value: Microsoft-IIS/5.0
.Key: Date Value: Thu, 12 Aug 2004 21:34:47 GMT
Key: X-Powered-By Value: ASP.NET
...Key: X-AspNet-Version Value: 1.1.4322
Key: WWW-Authenticate Value: Basic realm="xxx@xxx.com"
Key: WWW-Authenticate Value: Digest realm="xxx@xxx.com",nonce="64cca617efcc2946fee57e458d53da10",opaque="b2590191-c61a-47bc-9d50-749e8722eae2",qop="auth"
Key: Cache-Control Value: private
Key: Content-Type Value: text/plain
0
 
CEHJCommented:
iow, set WWW-Authenticate as a list of delimited values, as i mentioned
0
 
danthsAuthor Commented:
That's for the server to do, not the client which Iam working on? Why should the server do if its in compliance with RFC. I don't have control on the server.
0
 
CEHJCommented:
>>That's for the server to do,

Well it wasn't quite clear originally whether you were looking at this from client or server perspective

If you're looking from client, then presumably you can parse delimited variables
0
 
objectsCommented:
Sorry ignore my previous comments, too early in the morning.

The Map returned by getHeaderFields() should comntain a list of values if >1 exists.
0
 
objectsCommented:
"Each Map value is an unmodifiable List of Strings that represents the corresponding field values. "
0
 
danthsAuthor Commented:
That's my point isn't it true that per definition of  Map "An object that maps keys to values. A map cannot contain duplicate keys; each key can map to at most one value. " So theoritically the key contains just one value. Or should I interpret that the value is still one seperated by a comma?
0
 
objectsCommented:
Yes a Map can contain only one value/object, and in the case of multiple values being present then that one value is a list. You can then get the individual values from that list.

0
 
danthsAuthor Commented:
Yeah! got it, sorry late in the day. Somehow was missing the keyword "List".

Thanks for your help.
0
 
objectsCommented:
0
 
CEHJCommented:
danths, can you tell me how the 'answer' you accepted differs in substance from what i was saying all along?
0
 
danthsAuthor Commented:
CEHJ, even though you were close you weren't on the target.

Comment #1: "The first off-the-cuff suggestion is there are no duplicates, but the values of the challenge can be a delimited list"

Before this post I explicitly stated that as per RFC the header "WWW-Authenticate" could be duplicate and so your comment was wrong. "but the values of the challenge can be a delimited list" this was also in the RFC and so there's no ambiguity and just was repetion of the premise.  So this comment didn't help me in reaching a solution.

Comment #2: "iow, set WWW-Authenticate as a list of delimited values, as i mentioned".

This was right after I had posted the client headers. Still I will give benefit of doubt since your and my comment were posted at exactly the same time. As I had previously mentioned I could not set the header, the server does it and my client just needs to read it. So this comment didn't help me in reaching a solution.

Comment #3: "If you're looking from client, then presumably you can parse delimited variables"

This was a bit off the target as well since I don't have to explicitly parse the variables.
getHeaderField("WWW-Authenticate") returns a string and so only the first pair is considered valid.
getHeaderFields returns a map it automatically iterates thru all the headers finds duplicates and if duplicate keys are found automatically adds all the value to a list and so

a: XXX
b: YYY
a: ZZZ

becomes
a: XXX,ZZZ
b: YYY

and since a "MAP" [a] has a value of list with [XXX] and [YYY] in the list.

This was explicitly stated by "objects" later in the thread even though he was way off in the beginning of the thread. If you still feel that the points were unfairly awarded, pls report it to a moderator and I will abide by his/her suggestions.

Thanks
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 6
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now