[Bug 1392709] [NEW] kio_http: HTTP body of 401 response not shown when SPNEGO authentication fails

Trogel 1392709 at bugs.launchpad.net
Fri Nov 14 12:37:19 UTC 2014 

Public bug reported:

If an HTTP server responds with the "401 Unauthorized" status code and
requests SPNEGO authentication with the response-header line "WWW-
Authenticate: Negotiate", but kio_http fails to respond to the
challenge, Konqueror shows a built-in error page saying "Authorization
failed". Instead I'd expect to see the entity body of the server's 401
response.


The server I'm requesting actually sends an HTML page with a login form, but also allows for SPNEGO authentication (RFC 4559). Therefore it sends the login page with the "401 Unauthorized" status code and the response-header line "WWW-Authenticate: Negotiate". If the client can respond with appropriate authentication data, it will retry the HTTP request with an "Authorization" header. But if it cannot, it should show the entity body of the server's 401 response to the user so that he can manually log in. (I might be wrong, but this is my understanding of RFC 2616, section 10.4, "Client Error 4xx", where it says "User agents SHOULD display any included entity to the user." And that is what at least Firefox and probably other browsers currently do.)

However, if kio_http cannot respond to the server's SPNEGO request, it
displays a built-in error page. So, Konqueror does not show the server's
login form and the user cannot log in manually.

Reproduced on
- kubuntu trusty (14.04) with kdelibs5-plugins 4:4.13.3-0ubuntu0.1 and
- kubuntu utopic (14.10) with kdelibs5-plugins 4:4.14.1-0ubuntu1.


It took me a while to understand how this works, but now the fix appears to be quite simple. In certain places where kio_http detects an error, it calls sendErrorPageNotification() to check whether it should show the HTTP body of the server's response or a built-in error page. But this check does not happen when the last attempt to generate an "Authorization" response to the server's authentication request failed. Therefore it always shows the built-in error page in such cases.

As a patch (see attachment) to source package kde4libs-4.14.1 I added
such check to kioslave/http/http.cpp and installed the modified package
kdelibs5-plugins_4.14.1-0ubuntu1_amd64.deb. For me it works as desired,
i.e. Konqueror now shows the login form. However, I cannot test this
with a working SPNEGO environment or such.

** Affects: kde4libs (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kde4libs in Ubuntu.
https://bugs.launchpad.net/bugs/1392709

Title:
  kio_http: HTTP body of 401 response not shown when SPNEGO
  authentication fails

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1392709/+subscriptions

More information about the kubuntu-bugs mailing list