(from soap4r ML)
I fixed the problem of always sending the password in the clear by
checking the HTTP and making sure that the server is indeed requesting
basic realm. In class BasicAuth I added lines with +:
def set(uri, user_id, passwd)
uri = uri.clone
+ # Make sure that the server is really requesting Basic
Authentication!
+ serverRealm = (@client.head(uri).header['WWW-Authenticate']).join
+ return nil if ("Basic realm".downcase !=
serverRealm[0,11].downcase)
uri.path = uri.path.sub(/\/[^\/]*$/, '/')
@auth[uri] = ["#{user_id}:#{passwd}"].pack('m').strip
@client.reset_all
end
I forgot to mention that the digest authentication in the code I posted
earlier is hardcoded to build the digest response with "POST" which
always works for me, as I'm sending SOAP. I'm not sure how to get the
correct HTTP method. (http-access2 is about 1700 lines of code and I
haven't had a chance to understand the flow . . . )
NaHi?: I think I understood the problem but the problem is in BasicAuth#get?,
not in BasicAuth#set?, right? http-access2 now sends password to a
defined realm even if WWW-Authenticate is missing.
