Re: [Bug-wget] Sprint Security non-challenge use case

[Micah Cowan]

On 07/01/2010 05:23 AM, Tim Pizey wrote:
> Hi Micah and list,
> 
> Thanks for a great utility, whose size and complexity I am only just
> beginning to appreciate.
> 
> I have just been tripped up by the newish (post 1.10.2 ) behaviour of
> wget, that it relies upon a challenge prior to supplying
> authentication headers.
> 
> I have written up the problem at
> http://tim-pizey.blogspot.com/2010/07/using-both-http-basic-and-session-based.html
> 
> To paraphrase: I think the old behaviour was more intuitive: if user
> supplies username and password pass them on to server.
> 
> The Spring Security auto-config (ie their default) is to respect
> http-basic authentication if it is supplied but to redirect the 'user'
> to a forms based login if it is not supplied, ie not to issue a
> challenge.

Yes, that happens on a few servers, and that's why
--auth-before-challenge was made an option. Use that if that's what you
want.

> So I suggest that at the least the manpage wording is changed, if not
> the behaviour reverted.

What specifically would you wish to change?

It's not my decision any longer, but reverting the behavior is a very
bad idea IMO. There are obvious security problems with sending cleartext
passwords as a default behavior, without first checking whether the
server will allow you to send it in an encrypted form, which is why I
made it a high priority to change that behavior in 1.11. It breaks any
sense of decent security, and also breaks the RFCs.

However, I suppose a case might be made for making an exception in the
case of HTTPS, where even "cleartext" passwords would be sent over an
encrypted tunnel.

-- 
Micah J. Cowan
http://micah.cowan.name/