This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 805 - Support auth proxying for multiple WWW-Authenticate headers
Summary: Support auth proxying for multiple WWW-Authenticate headers
Alias: None
Product: Validator
Classification: Unclassified
Component: check (show other bugs)
Version: 0.6.6
Hardware: All other
: P2 normal
Target Milestone: 0.6.7
Assignee: Ville Skyttä
QA Contact: qa-dev tracking
Depends on:
Reported: 2004-06-18 18:47 UTC by jmcgrory
Modified: 2010-03-16 18:41 UTC (History)
0 users

See Also:


Description jmcgrory 2004-06-18 18:47:27 UTC
A highly necessary function of the validator no longer works.  My students 
work on password protected Web sites.  I check their uploaded files with the 
W3 validator.  Since the checker no longer validates password protected URLs, 
it is no longer feasible for me to check their work for invalid code.  

Like you, I want to encourage my students - the XHTML and XML programmers of 
tomorrow - to use your specifications and write valid code.  But you also 
know, that "trusting" the students to submit valid code for grading will not 
support this practice.  Ultimately, I would have to eliminate this checking 
process from my instructional method.

For a teacher at a community college, the validator is the cop at the traffic 
light.  I'd like to trust all my students to always follow lawful driving 
practices.  But, if not, I need the ability to give them a ticket.  I can only 
do this if I can validate code that the students publish within the safety of 
our password protected area of our college Web.
Comment 1 Bj 2004-06-18 19:24:33 UTC
I think the configuration of your web server changed, your example document 
returns something like

% http-head
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Fri, 18 Jun 2004 23:22:26 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=""
Connection: close
Content-Length: 4431
WWW-Authenticate: Digest qop="auth", realm="", 
Content-Type: text/html

and the Validator gets confused by the multiple WWW-Authenticate headers. It 
seems the code was never prepared to handle this properly.
Comment 2 Bj 2004-06-18 19:29:49 UTC
Looking at the code, there are a number of flaws,

  $authHeader =~ s( realm=([\'\"])?([^\1]+)\1){ realm="$realm-$2"};

This cannot work as expected as the \1 is not evaluated inside the [^...], the 
next flaw is

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  <html lang="en" xml:lang="en">

I removed the xml:lang="en" as it is not allowed in HTML 4.01, then

      The URL you specified, &lt;<a href="$resource">$resource</a>&gt;,
      returned a 401 "authorization required" response when I tried
      to download it.

$resource must be passed to ent(...) so that special characters get escaped.
Comment 3 Ville Skyttä 2004-06-28 18:35:15 UTC
I have added some code to deal with multiple WWW-Authenticate headers to CVS. 
Unfortunately I cannot test this in a too wide range of situations, but the
usual basic authentication cases still work for me.

jmcgrory, we have a test version up at containing
the new code.  Could you test that and report back if it fixes the problem or not?
Thanks in advance!
Comment 4 jmcgrory 2004-06-29 09:31:34 UTC
Yes! It works! Thank you also for adding the to 
the successful validation code.

Thank you so much for resolving this problem.  In doing so, you have made it 
feasible for me to check the work of my students and to enforce valid practice 
in their coding.  Additionally, my students have enjoyed participating in this 
resolution process.  They were impressed that at the speed and professionalism 
with which the W3C (and the Web community) responded to the problem.

Thanks again.  I consider this item resolved.

Comment 5 Ville Skyttä 2004-07-04 05:55:45 UTC
Thanks for the confirmation.  This fix will be included in the next release of
the validator.  In the meantime, you can continue to use the :8001 version, but
please keep in mind that it is not a production release, and that as soon as the
next production one is out, it is recommended to switch to the "normal" version
running at (port 80).
Comment 6 jmcgrory 2004-07-28 13:18:16 UTC
Although this bug was resolved a few weeks ago, it is now incorrectly 
disabled.  It is absolutely essential that my students - who work on a 
password protected area of the server - be capable of validating their code 
from the Web server by adding the following code to each page: 

       	<a href="">
        <img src="../images/XHTML11_logo.gif"
             alt="Valid XHTML 1.1!" 
         />	</a>

If we can't validate from a password protected server - which was possible but 
now is not - then these processes cannot be taught to our future Web 

I was so impressed by your help.  As a class, we were all impressed by your 
responsiveness.  We need you to continue to support this validation code.
Comment 7 jmcgrory 2004-07-28 13:27:23 UTC
Nevermind - thank you - I see that you moved this into production and so the 
traditional validation code works.  Thank you!  So sorry for my compliant - 
this is resolved!

       	<a href="">
        <img src="../images/XHTML11_logo.gif"
             alt="Valid XHTML 1.1!" 
         />	</a>
Comment 8 Olivier Thereaux 2004-07-28 18:15:43 UTC
the service on :8001 is working again... 
But by all means, keep using the production service, which should be more stable.

Comment 9 jmcgrory 2004-09-28 20:47:25 UTC
Although the problem was once corrected, the problem has reoccured.  The 
problem as described below is also apparent in the CSS validator.  Please 
help!  My students and I must have a resolution of this problem!