Commit 81b59aaf authored by Iustin Pop's avatar Iustin Pop
Browse files

Fix HTTP server library handling of credentials



Currently the http library only checks credentials when authentication
is required. This means that any credentials are accepted on the root
resource, for example, which makes problems hard to diagnose - the
user/pw works for all queries, until one tries to do a modification at
which point fails.

This patch changes the PreHandleRequest() function to not ignore
credentials when passed, even if we don't require authentication. This
makes the behavior of RAPI more predictable.
Signed-off-by: default avatarIustin Pop <iustin@google.com>
Reviewed-by: default avatarGuido Trotter <ultrotter@google.com>
parent 73e5a4f4
...@@ -101,10 +101,14 @@ class HttpServerRequestAuthentication(object): ...@@ -101,10 +101,14 @@ class HttpServerRequestAuthentication(object):
""" """
realm = self.GetAuthRealm(req) realm = self.GetAuthRealm(req)
# Authentication required? # Authentication not required, and no credentials given?
if realm is None: if realm is None and http.HTTP_AUTHORIZATION not in req.request_headers:
return return
if realm is None: # in case we don't require auth but someone
# passed the crendentials anyway
realm = "Unspecified"
# Check "Authorization" header # Check "Authorization" header
if self._CheckAuthorization(req): if self._CheckAuthorization(req):
# User successfully authenticated # User successfully authenticated
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment