Solved

WWW-Authenticate and getFieldHeaders

Posted on 2004-08-12
16
657 Views
Last Modified: 2008-02-01
per RFC 2068
================================================
14.46 WWW-Authenticate

   The WWW-Authenticate response-header field MUST be included in 401
   (Unauthorized) response messages. The field value consists of at
   least one challenge that indicates the authentication scheme(s) and
   parameters applicable to the Request-URI.

          WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge

   The HTTP access authentication process is described in section 11.
   User agents MUST take special care in parsing the WWW-Authenticate
   field value if it contains more than one challenge, or if more than
   one WWW-Authenticate header field is provided, since the contents of
   a challenge may itself contain a comma-separated list of
   authentication parameters.
================================================
getHeaderFields
public Map getHeaderFields()Returns an unmodifiable Map of the header fields. The Map keys are Strings that represent the response-header field names. Each Map value is an unmodifiable List of Strings that represents the corresponding field values.

Now per definition of  Map "An object that maps keys to values. A map cannot contain duplicate keys; each key can map to at most one value. " How does this fit in with the permissible duplicate values of "WWW-Authenticate". But getHeaderFields does allow duplicate values? How do I interpret this and what is recommended in detecting the duplicate keys?
0
Comment
Question by:danths
  • 6
  • 6
  • 4
16 Comments
 
LVL 86

Expert Comment

by:CEHJ
ID: 11788708
The first off-the-cuff suggestion is there are no duplicates, but the values of the challenge can be a delimited list
0
 
LVL 92

Expert Comment

by:objects
ID: 11788786
See getHeaders method:

public java.util.Enumeration getHeaders(java.lang.String name)Returns all the values of the specified request header as an Enumeration of String objects.
Some headers, such as Accept-Language can be sent by clients as several headers each with a different value rather than sending the header as a comma separated list.

If the request did not include any headers of the specified name, this method returns an empty Enumeration. The header name is case insensitive. You can use this method with any request header.

Parameters:
name - a String specifying the header name
Returns:
an Enumeration containing the values of the requested header. If the request does not have any headers of that name return an empty enumeration. If the container does not allow access to header information, return null
0
 
LVL 6

Author Comment

by:danths
ID: 11788792
There are duplicates keys for WWW-Authenticate and it is legal as per the rfc. I could confirm that interating thru each headerfield using getHeaderField(i) but if I use getHeaderFields only the first pair is returned. So does that mean that I cannot use getHeaderFields?
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 92

Expert Comment

by:objects
ID: 11788802
> but if I use getHeaderFields only the first pair is returned.
> So does that mean that I cannot use getHeaderFields?

correct
0
 
LVL 6

Author Comment

by:danths
ID: 11788884
what's the workaround?
More info:-


using getHeaderFields:-
HttpHeaderKeys: [X-Powered-By, X-AspNet-Version, null, Date, Server, Content-Type, Cache-Control, WWW-Authenticate]
HttpHeaderValues: [[ASP.NET], [1.1.4322], [HTTP/1.1 401 Unauthorized], [Thu, 12 Aug 2004 21:34:47 GMT], [Microsoft-IIS/5.0], [text/plain], [private], [Digest realm="xxx@xxx.com",nonce="64cca617efcc2946fee57e458d53da10",opaque="b2590191-c61a-47bc-9d50-749e8722eae2",qop="auth", Basic realm="xxx@xxx.com"]]
 
usingGetHeaderField:-
Key: Server Value: Microsoft-IIS/5.0
.Key: Date Value: Thu, 12 Aug 2004 21:34:47 GMT
Key: X-Powered-By Value: ASP.NET
...Key: X-AspNet-Version Value: 1.1.4322
Key: WWW-Authenticate Value: Basic realm="xxx@xxx.com"
Key: WWW-Authenticate Value: Digest realm="xxx@xxx.com",nonce="64cca617efcc2946fee57e458d53da10",opaque="b2590191-c61a-47bc-9d50-749e8722eae2",qop="auth"
Key: Cache-Control Value: private
Key: Content-Type Value: text/plain
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 11788886
iow, set WWW-Authenticate as a list of delimited values, as i mentioned
0
 
LVL 6

Author Comment

by:danths
ID: 11788909
That's for the server to do, not the client which Iam working on? Why should the server do if its in compliance with RFC. I don't have control on the server.
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 11788926
>>That's for the server to do,

Well it wasn't quite clear originally whether you were looking at this from client or server perspective

If you're looking from client, then presumably you can parse delimited variables
0
 
LVL 92

Expert Comment

by:objects
ID: 11788933
Sorry ignore my previous comments, too early in the morning.

The Map returned by getHeaderFields() should comntain a list of values if >1 exists.
0
 
LVL 92

Expert Comment

by:objects
ID: 11788986
"Each Map value is an unmodifiable List of Strings that represents the corresponding field values. "
0
 
LVL 6

Author Comment

by:danths
ID: 11788987
That's my point isn't it true that per definition of  Map "An object that maps keys to values. A map cannot contain duplicate keys; each key can map to at most one value. " So theoritically the key contains just one value. Or should I interpret that the value is still one seperated by a comma?
0
 
LVL 92

Accepted Solution

by:
objects earned 500 total points
ID: 11789005
Yes a Map can contain only one value/object, and in the case of multiple values being present then that one value is a list. You can then get the individual values from that list.

0
 
LVL 6

Author Comment

by:danths
ID: 11789015
Yeah! got it, sorry late in the day. Somehow was missing the keyword "List".

Thanks for your help.
0
 
LVL 92

Expert Comment

by:objects
ID: 11789022
0
 
LVL 86

Expert Comment

by:CEHJ
ID: 11791100
danths, can you tell me how the 'answer' you accepted differs in substance from what i was saying all along?
0
 
LVL 6

Author Comment

by:danths
ID: 11792140
CEHJ, even though you were close you weren't on the target.

Comment #1: "The first off-the-cuff suggestion is there are no duplicates, but the values of the challenge can be a delimited list"

Before this post I explicitly stated that as per RFC the header "WWW-Authenticate" could be duplicate and so your comment was wrong. "but the values of the challenge can be a delimited list" this was also in the RFC and so there's no ambiguity and just was repetion of the premise.  So this comment didn't help me in reaching a solution.

Comment #2: "iow, set WWW-Authenticate as a list of delimited values, as i mentioned".

This was right after I had posted the client headers. Still I will give benefit of doubt since your and my comment were posted at exactly the same time. As I had previously mentioned I could not set the header, the server does it and my client just needs to read it. So this comment didn't help me in reaching a solution.

Comment #3: "If you're looking from client, then presumably you can parse delimited variables"

This was a bit off the target as well since I don't have to explicitly parse the variables.
getHeaderField("WWW-Authenticate") returns a string and so only the first pair is considered valid.
getHeaderFields returns a map it automatically iterates thru all the headers finds duplicates and if duplicate keys are found automatically adds all the value to a list and so

a: XXX
b: YYY
a: ZZZ

becomes
a: XXX,ZZZ
b: YYY

and since a "MAP" [a] has a value of list with [XXX] and [YYY] in the list.

This was explicitly stated by "objects" later in the thread even though he was way off in the beginning of the thread. If you still feel that the points were unfairly awarded, pls report it to a moderator and I will abide by his/her suggestions.

Thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For customizing the look of your lightweight component and making it look lucid like it was made of glass. Or: how to make your component more Apple-ish ;) This tip assumes your component to be of rectangular shape and completely opaque. (COD…
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
The viewer will learn how to implement Singleton Design Pattern in Java.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question