[asterisk-bugs] [Asterisk 0010961]: [patch] Add HTTP Basic & Digest Auth (rfc2617) for manager web interface.
Asterisk Bug Tracker
noreply at bugs.digium.com
Sun Dec 14 06:51:46 CST 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=10961
======================================================================
Reported By: ys
Assigned To: otherwiseguy
======================================================================
Project: Asterisk
Issue ID: 10961
Category: Core/NewFeature
Reproducibility: N/A
Severity: feature
Priority: normal
Status: assigned
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): trunk
SVN Revision (number only!): 85514
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2007-10-12 06:48 CDT
Last Modified: 2008-12-14 06:51 CST
======================================================================
Summary: [patch] Add HTTP Basic & Digest Auth (rfc2617) for
manager web interface.
Description:
I found, that manager web interface used "Cookie" Header for authenticate
the user. This require two http request, one for authenticate and next for
commands.
This patch add only Basic authentication scheme implementation, as defined
in rfc2617.
If used this scheme, httptimeout are unused, but we don't need to keep a
http session (and mansession) alive, after HTTP Request is processed.
======================================================================
Relationships ID Summary
----------------------------------------------------------------------
related to 0011414 [patch] Move loading users from authent...
======================================================================
----------------------------------------------------------------------
(0096366) ys (reporter) - 2008-12-14 06:51
http://bugs.digium.com/view.php?id=10961#c96366
----------------------------------------------------------------------
otherwiseguy
Excuse for long absence and thank you for the branch.
But, I the second time see that automerge canceled, because of conflicts
with patches from a trunk.
As you can see, I remove "webauth=" parameters and create separate URI
for the HTTP Digest authentication for backward compatibility with
existing
asterisk GUI (and GUI from foreign developers). Also, that so gives the
chance
to use authentication failover based on URI path.
About Basic auth:
I remove Basic HTTP auth, so-as oej, in due time, has specified it as
unsecured.
(At that point in time there was no support for https.)
Also, Basic HTTP auth, don't give me ability exactly compare web client
and
mansession data, if several sessions with one account are used.
Digest HTTP auth provide "nonce" (and "opaque") value, that can be used as
key
for sessions searching. But, when used IE, "opaque" can't be used
for these purposes, in connection with strange implementation of
Digest HTTP auth in IE.
Issue History
Date Modified Username Field Change
======================================================================
2008-12-14 06:51 ys Note Added: 0096366
======================================================================
More information about the asterisk-bugs
mailing list