HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="GWAVA Console",qop="auth",nonce="d951626547bbe35 ffba6032ba46959bc",opaque="38f98a915296a94de4bbdaa09cb94726"
Client-Date: Sun, 11 Jul 2010 15:51:19 GMT
Client-Peer: 10.10.10.10:49282
Client-Response-Num: 1

Your third piece of code:

$mechanize->credentials("server:49282","Digest realm", $username=>$pas
+sword);
[download]

The server's response:

WWW-Authenticate: Digest realm="GWAVA Console", ...
[download]

Do you see the important difference?

Either use the two-argument form of WWW::Mechanize->credentials() or fix the realm argument of the four-argument form to match the server's 401 response.

The second piece of code has the same problem, but you can't use the two argument form of LWP::UserAgent->credentials() (it is a getter, not a setter).

zwon explained you why the first piece of code doesn't work.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Ok, so it is Digest authentication, not Basic, that's why the first block of code doesn't work for you.

LWP should handle both Basic and Digest authentication with LWP::Authen::Basic and LWP::Authen::Digest.

I've searched for more documentation about LWP and Digest authentication, but not found much more.

I've found the node LWP and Digest Authentication here on PerlMonks which linked me to the t/jigsaw-auth-d.t script inside the libwww-perl distribution. which is kind of confusing.

use LWP::UserAgent;

{
   package MyUA;
   use vars qw(@ISA);
   @ISA = qw(LWP::UserAgent);

   my @try = (['foo', 'bar'], ['', ''], ['guest', ''], ['guest', 'gues
+t']);

   sub get_basic_credentials {
    my($self,$realm, $uri, $proxy) = @_;
    print "$realm:$uri:$proxy => ";
    my $p = shift @try;
    print join("/", @$p), "\n";
    return @$p;
   }

}

my $ua = MyUA->new(keep_alive => 1);

my $req = HTTP::Request->new(GET => "http://jigsaw.w3.org/HTTP/Digest/
+");
my $res = $ua->request($req);
[download]

To properly use the digest authentication the function get_basic_credentials() have to be overridden as ikegami did on Re^3: LWP and Digest Authentication.

Alex's Log - http://alexlog.co.cc

The realm is "GWAVA Console", but you told LWP to only respond to the realm "Digest realm"

It was part of a scheme to obfuscate, the code does say GWAVA Console, for security measures I tried again and it still fails.

Just to add another piece I picked up, there is no domain in the header. The server we talk to is not a readable standard apache afaik either, I found the realm information deep in a binary on the target server. Other browsers are however able to authenticate, so something wierd...

Or, I could copy the page want, modify it to remove the data I dont want and place it outside the password area, it seems like a kind of javascript HTML page processed on the request (references to JDB inside), that is however the way I least want to go in terms of security and Perl should be able to do this(maybe it's I who dont get it...)