Hi -
I'm just playing with a nicer HTTP client implementation (intended to
replace our horrible HTTPSocket nightmare) and while testing it I ran
afoul about a particularly odd behavior on squeaksource:
When you have a private project (i.e., global no access) SqueakSource
doesn't ask for authentication when trying to access the repository. For
example, go to the link of the following project:
http://www.squeaksource.com/Secret/This will net you with a page that doesn't list any of the projects but
also doesn't ask for authentication. When you access such a repository
via Monticello (with set username/password) Monticello will -in
collusion with HTTPSocket- proactively send your username + password for
access to the repository.
Which is fine, except ... pretty much the only way one can proactively
do authentication in http is by basic auth. Which is something that I'm
absolutely not fond of because it's transmitting your password pretty
much in plain text, obfuscated as base64. Ouch.
I'd really, really like to avoid adding a specific hack to the client
interface to send a basic auth header proactively for basic auth if
there's *any* way to fix this properly.
Is there anyone here who has an understanding of what it would take to
fix that problem? I.e., access to a private repository (like
http://www.squeaksource.com/Secret/) SHOULD result in a 401
Unauthorized, allowing the client to provide proper credentials.
Any insights are welcome.
Cheers,
- Andreas
Locked
