http basic auth question

[Tod]

<globalhttplog>yes</globalhttplog>
<globaltimeout>240</globaltimeout>
<useragent>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</
useragent>
<timeout>120</timeout>
<httpauth>mywebsite.example.com:80:MyRealm:nagios:n@g10s</httpauth>

My config.xml file looks very similar to this (site URL changed to
protect the stupid). The question I have is that in my http.log of
the transaction, I never see the basic auth credentials being sent to
the server.

When I go to this URL in my browser, and capture the headers, I see
the following:

http://mywebsite.example.com/myrealm/protectedarea/

GET /myrealm/protectedarea HTTP/1.1
Host: mywebsite.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:
1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=D9D455EA25EBDFF38E302C5787A184A0
X-lori-time-1: 1280437658839
Authorization: Basic bmFnaW9zOm5AZzEwcw==

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/atom+xml;charset=UTF-8
Content-Length: 3591
Date: Thu, 29 Jul 2010 21:07:39 GMT

Should I be seeing things like "Authorization: Basic
bmFnaW9zOm5AZzEwcw==" in the http.log file? The fact that I'm not
leads me to believe that webinject is not sending the credentials to
the server.

My log file looks like this:

GET http://mywebsite.example.com/myrealm/protectedarea
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)



HTTP/1.1 401 Unauthorized
Connection: close
Date: Thu, 29 Jul 2010 21:16:10 GMT
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="MyRealm"
Content-Length: 954
Content-Type: text/html;charset=utf-8
Client-Date: Thu, 29 Jul 2010 21:16:10 GMT
Client-Peer: 172.25.45.249:80
Client-Response-Num: 1
Client-Warning: Redirect loop detected (max_redirect = 0)
Set-Cookie: JSESSIONID=4E997446871698231FDBEA2AB98165AF; Path=/myrealm
Title: Apache Tomcat/6.0.20 - Error report

In the headers from my web browser, the first attempt to do a GET on
the URL received the 401 error, and then the user/pass dialog window
comes up, I enter the credentials and then the subsequent request
gives me a 200. Unfortunately with my webinject testcases every
subsequent request for this URL gives me the 401.

Any help/guidance would be appreciated as I think I'm following the
procedure in the manual, but must be missing something somewhere along
the way. Thanks in advance.

[sni]

I think authentication has never worked in Webinject, see this thread
http://groups.google.com/group/webinject/browse_thread/thread/46f05df73eb8111f/5772b145cba4a7e9#5772b145cba4a7e9

I will fix this during the weekend.

Sven

[Tod]

Wow, good to know I'm not crazy ;)
Thanks for fixing this Sven.

[Sven Nierlein]

It's fixed in the current git version: http://github.com/sni/Webinject
I will commit to svn soon and maybe build a new release. But you are
welcome to test the git version.
Let me know if you need instructions for that.

[Tod]

Yes, instructions would be good. Once this is installed as a .pm
file, how do I invoke webinject, and where should my config.xml file
reside? I only want to run the engine from the command line, not the
GUI.

[Sven Nierlein]

Hi Tod,

I added a new make target to the latest version. So you could either download the latest
HEAD tarball from github and do:

perl Makefile.PL && make webinject.pl

or you just use the attached one where i did that already. Usage is the same as before.
There are only some bugfixes and a couple of new config options which will soon be documented:

- break_on_errors
if set to 1 / on, the rest of the tests will be skipped after one fails.

- max_redirect
set the amount of redirect webinject will follow, default is 0.

Sven

[Tod]

Hi Sven,

Thanks, I actually downloaded the whole source tarball from git and
installed it. My basic auth tests now work as expected! Thank you so
much!

Tod

[Vincent Gerris]

That attached pl file somehow did not work properly for me, -c parameter did not work.
I am also still not able to get basic authentication working.
Can anyone post the config line for the config.xml which would authenticate the following:
server: bla.bla.nl/bla ,port 443, user test,password test, realm 'Bla bla: bla' ?

My most sane attempt was:
The main issue is that the realm seems to contain a : .

Is there a way to escape it?

I will try to mod the realm first.

Greetings Vincent

[Vincent Gerris]

Well, I removed those : from the realm, because I caught version 1.78 of webinject not handling \ as an escape character to :.
The line i used in config is:
<httpauth>bla.bla.nl/bla/:443:Some realm:user:password</httpauth>

That does not work for me.
I worked around it by using the addheader directive, filled with: Authorization: Basic user:passwordbase64string

[joshua....@ecetera.com.au]

For others out there - I had no luck using the proxy option in my config when using basic authentication for a https connection - only worked on http. Same result when trying to use addheader within the testcase. I always got a "407 Proxy Authentication Required" I assume because the auth componenet was going over SSL and the proxy couldn't see it. 

However I did manage to authenticate against my proxy for https requests using the httpauth option.

It set the correct headers for me;

Proxy-Authorization: Basic abcdefghijk

User-Agent: WebInject

Https-Proxy-Authorization: Basic abcdefghijk

[joshua....@ecetera.com.au]

Disregard that - the httpauth was being ignored while I tested from my laptop which has direct internet connection thus gave me a false result. Back to the drawing board...