Hi, I see a difference in the way Apache responds to a Expect: 100-continue header in version 1.3.33 vs 2.2.6. The 1.3.33 handling is correct. I feel the 2.2.6 handling is a bug. For PUT requests with a Expect: 100-continue header, Apache 2.2.6 server sends a HTTP/1.1 100 Continue response before checking to see if a 401 or 405 response might need to be sent for the request. The client ends up sending the entire PUT or POST body in response to the 100 continue only to have it be rejected by the server due to a 401, then having to resend the request with the authentication header and the entire message body a second time. This defeats the purpose of the continue response stated in the HTTP 1.1 RFC - http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.2.3 Apache 1.3.33 on the other hand, checks for the 401 condition before sending a 100 Continue response. It sends a 401 to the client. This allows the client to include an appropriate Authentication header when resending the request. This improves the chances of the request being accepted by the server and the client needs to send the message body just once. Since the client does not know if the server resource is protected by basic or digest authentication scheme, it needs to wait for the server's 401 before sending the appropriate Auth header in the request. Here is the request/response sequence for this problem (using a small file in this example to illustrate the problem. In a real world scenario this is a serious issue for large files.) ... Using Apache 2.2.6 ----------------------------- >>> to server PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8080 Expect: 100-continue Date: Mon, 15 Oct 2007 20:05:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream <<< from server HTTP/1.1 100 Continue >>>Sending entire file the first time ... >>> to server (in real life this would be a very large file) <html><body><h1>Secret works!</h1></body></html> <<<from server HTTP/1.1 401 Authorization Required Date: Mon, 15 Oct 2007 20:05:24 GMT Server: Apache/2.2.6 (Unix) WWW-Authenticate: Basic realm="secret_access" Content-Length: 401 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive etc... >>>to server PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8080 Authorization: Basic dGVzdDp0ZXN0 Date: Mon, 15 Oct 2007 20:05:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream >>>Sending entire file for the second time ... >>> to server <html><body><h1>Secret works!</h1></body></html> <<<from server HTTP/1.1 204 etc... Using Apache 1.3.33 ----------------------------- >>> to server PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8888 Expect: 100-continue Date: Mon, 15 Oct 2007 22:22:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream <<<from server HTTP/1.1 401 Authorization Required Date: Mon, 15 Oct 2007 22:22:24 GMT Server: Apache/1.3.33 (Unix) WWW-Authenticate: Basic realm="secret_access" Content-Length: 401 Connection: close etc... >>>to server PUT /secret/test.html HTTP/1.1 Host: 10.10.10.1:8080 Authorization: Basic dGVzdDp0ZXN0 Date: Mon, 15 Oct 2007 22:22:24 GMT Connection: Keep-Alive Content-Length: 49 Content-Type: application/octet-stream <html><body><h1>Secret works!</h1></body></html> <<<from server HTTP/1.1 204 etc... My test apache setup... OS - Solaris 2.8. configure options - enable-auth-digest (I did not use digest authentication for my test above.) I have a simple put.cgi handling the put request. I have a .htaccess file in the htdocs/secret dir and using a password file generated using htpasswd. Thanks Ragini --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|