BrowserUk has asked for the wisdom of the Perl Monks concerning the following question:

I'm try to request a digest authentication protected web page use LWP. The documentation seems to be scattered and severely lacking on how to do this.

I've found reference to a credentials method of LWP::UserAgent, but this requires I supply the realm in addition to the userid and password, which doesn't make much sense because the realm (along with the nonce and qop), is provided by the server, in a header as a part of 401 Unauthorised response: 

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Realm3", nonce="ded45a7b48533331610bf1
+fb682c920f", qop=auth
Content-Type: text/html

[download]

So why (and how with a server that changes the realm on a per request basis), do I have to supply it to LWP? Shouldn't it extract these values from the 401 header and use them to construct the authorisation digest?

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.
"Too many [] have been sedated by an oppressive environment of political correctness and risk aversion."

Replies are listed 'Best First'.
Re: LWP and Digest Authentication
by ikegami (Patriarch) on Feb 11, 2009 at 02:30 UTC
[reply]
[d/l]
[reply]
[d/l]
[select]

        It applies to digest as well. I use the following in one of my programs for a site that uses digest: 

        sub get_basic_credentials {
   my ($self, $realm, $uri, $isproxy) = @_;
   if (  !$isproxy
      && $realm eq 'example'
      && $uri->host_port() =~ /(^|\.)example\.com:80\z/i
   ) {
      return ($self->{user}, $self->{passwd});
   }

   return $self->SUPER::get_basic_credentials($realm, $uri, $isproxy);
}

        [download]

        credentials populates a hash which the base get_basic_credentials accesses. That's fine for most uses. If it isn't, overridding get_basic_credentials gives extra flexibility. In my case, the realm is fixed, but there's an unlimited number of subdomains being accessed.

[reply]
[d/l]
[select]
Re: LWP and Digest Authentication
by Anonymous Monk on Feb 11, 2009 at 02:16 UTC
[reply]

      What exactly do you think those links are meant to tell me?

      1. The grep references digest, but tells me nothing I do not already know.
      2. The second is a test script testing authentication...

        But, as I pointed out above, it hardcodes the realm rather than deriving it from the 401 header.

        No help there then.

      3. The third is a test script checking an MD5 content header?

      I don't know who you are (though I could probably take a good guess), but quite what you thought the point of your contribution was, I cannot fathom from your terse response.

      Perhaps that's why your post was so terse; you didn't know what you were trying to say?

      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
        They were suggestions for you to look at, sorry. I don't see where it hardcodes the realm. I get 
        1..2
test:http://jigsaw.w3.org/HTTP/Digest/: => foo/bar
test:http://jigsaw.w3.org/HTTP/Digest/: => /
test:http://jigsaw.w3.org/HTTP/Digest/: => guest/
test:http://jigsaw.w3.org/HTTP/Digest/: => guest/guest
ok 1
ok 2

        [download]
        test doesn't appear anywhere in the code and the docs for get_basic_credentials say The arguments passed in is the $realm provided by the server, the $uri requested and a boolean flag to indicate if this is authentication against a proxy server. so isn't this what you want?
[reply]
[d/l]

Back to Seekers of Perl Wisdom