[pca] 401 Unauthorized
Martin Paul
martin at par.univie.ac.at
Thu Dec 16 10:35:02 CET 2010
Hi
There's a new development version (20101216-01) available on
http://www.par.univie.ac.at/solaris/pca/installation.html which uses an
alternative authentication mode. This one should fix the problems with some
combinations of web proxies and wget versions.
> Finally, I got it to work using "--sshost=getupdates.oracle.com" with PCA but
> I was never able to get it to work with wget [1.12]. I thought that didn't
> make any sense: how can it work with PCA, which calls wget, but not with
> wget itself? Maybe this is related to what you're thinking?
Yes, I think that's the same problem. I'll try to explain what's going on:
Usually when connecting to an HTTP server which requires authentication, the
client doesn't send authentication data on first attempt. It's the server which
asks for authentication after the first connection, and the client then retries
with authentication. You can see that in wget's output when trying to download a
patch from Oracle:
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to getupdates.oracle.com:443.
HTTP request sent, awaiting response... 302 Moved Temporarily
It's denied at first, then wget reuses the connection and sends authentication.
The server checks authentication and then answers with the actual URL of the
file (on Akamai).
Some proxies seem not be able to handle this. They get "ERROR 401" and return
that to the client instead of retrying the connection. That's why wget fails then.
Now there's another option a client can choose - it can decide to "force"
authentication upon the server on first connection by providing an
Authentication header without being asked. This method seems to work always, and
it's what I'm using in PCA (again, as Sun's server didn't work otherwise at all
- it never asked for authentication itself).
Now for wget - when using http-user/http-passwd options, it used the second
method of pushing authentication unasked up to wget < 1.11. In wget 1.11 it
started to behave correctly, sending auth only when asked. This version didn't
work at all with Sun's server. I've reported that to the wget maintainers, and
they added a new option (--auth-no-challenge) to force the old behaviour.
Instead of handling each version of wget differently (and live with wget 1.11
not working at all) I instead used wget's --header option to force auth data at
the server all the time. When using wget on the command line, you were on your
own to use the right options with any version of wget.
Now Oracle's server seemed to work fine when used with wget's standard options,
so I decided to use those with the new version of PCA. It seems as if this
breaks when there's a (certain) web proxy between wget and Oracle, and therefore
I will start to use the old method with the forced Authentication header again.
I'd never believed how complicated it could be to download a single file via a
standard HTTP/S connection .. :)
Martin.
More information about the pca
mailing list