Re: Force authentication with NSURLConnection
Re: Force authentication with NSURLConnection
- Subject: Re: Force authentication with NSURLConnection
- From: Dave Dribin <email@hidden>
- Date: Tue, 13 Mar 2007 16:48:31 -0500
On Mar 13, 2007, at 12:43 PM, Becky Willrich wrote:
For security reasons, NSURLConnection's usual authentication path
requires the client to fail first (i.e. to attempt an
unauthenticated connection before applying credentials); this is to
protect against sending passwords unnecessarily or to the wrong
server.
That makes sense.
Also, several HTTP authentication schemes require the 401 response
from the server before it's even possible to compute the correct
Authorization header; the 401 response carries a nonce that's needed.
True. This wouldn't be possible for digest auth.
I think you could get around this by computing the necessary
Authorization header yourself and manually applying it to the
outgoing NSURLRequest before creating the NSURLConnection; use -
[NSMutableURLRequest setValue:forHTTPHeaderField:].
Interesting idea. Thankfully, I didn't have to try it. :) We ended
up fixing the problem by changing the server to actually send 401s
for API calls. Since it could tell the difference between a browser
and an API call based on the Accept header, the server now provides
401 responses for API calls and 30x redirects for form-based browser
auth. With this server-side change in place, I was able to use
NSURLConnection to access the protected pages.
Thanks for your help,
-Dave
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden