I am writing a java program which responds to a basic request - using this as a reference - http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
First time the browser sends a GET request without credentials. I reply back with a 401.
out.println("HTTP/1.1 401 Unauthorized");
out.println("Server: My Test Server");
out.println("Content-Type: text/html; charset=iso-8859-1");
out.println("Accept-Ranges: bytes");
out.println("Connection: close");
out.println("WWW-Authenticate: Basic realm=\"myrealm\"");
out.println();
(out is the socket).
So the browser sends back the same request, but now with a username/password. If the username/password is correct, I send back and 200 & everything is hunkydory.
But if the username/password is wrong, I send back a 401 again (using exactly the same code I used for the original request without creds. In this case, I again get the same request with the same username/password as before. And I again send back a 401. This time the cycle stops.
One thing to note is the out of the 2 GET requests which come with credentials, the requests come with the same uname/password, but the order the request is different.
i.e.
First request with credentials
GET /basic HTTP/1.1
Authorization: Basic dHJ5OjEyMzQ1Ng==
User-Agent: Jakarta Commons-HttpClient/2.0.2
Host: IPAddress:Port of my program
2nd request with credentials
GET /basic HTTP/1.1
User-Agent: Jakarta Commons-HttpClient/2.0.2
Host: IPAddress:Port of my program
Authorization: dHJ5OjEyMzQ1Ng==
About the user agent, I think Jakarta Commons-HttpClient/2.0.2 is the library used by the webserver to forward the request to my program.
What am I doing wrong here? Do bad credentials require a response different from no credentials? Or is this a problem with the program sitting between browser and my program(forwarding the browser's requests to my program). Is it sending the request just to make sure my program is not refusing the request because of the order of the original request?
