Re: Iny 10 TidHTTPServer - Digest Auth. problem

Thanks to your explanation, I was able to take action as below.  This is now
giving me '403 Forbidden' after three attempts - exactly the behaviour I was
expecting, (OK, there are bugs in my digest checking, but I can fix that).

Thanks again Remy!

Rgds,
Martin


procedure TfoTestServer.hsDigestHTTPServerCreatePostStream(
  AContext: TIdContext; AHeaders: TIdHeaderList; var VPostStream: TStream);
var headerMess:Tvalidationrequest;
    headerIndex:integer;
begin
  headerIndex:=AHeaders.IndexOfName('Authorization'); // 2nd attempt with
auth?
  if (headerIndex=-1) then
  begin
    AContext.Data:=nil; // not an Authorization attempt
    exit;
  end;
  transactionPool.pop(@headerMess,INFINITE); // get a comms object
  headerMess.FauthenticationHeader:=AHeaders[headerIndex]; // save auth
  AHeaders.Delete(headerIndex); // remove auth. header to stop Indy closing
  AContext.Data:=headerMess; // save object with auth header
end;
..
..
..
procedure TfoTestServer.hsDigestHTTPServerCommandGet(AContext: TIdContext;
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo);
var headerMess:Tvalidationrequest;
begin
  if assigned(AContext.data) then // auth attempt?
  begin
    headerMess:=Tvalidationrequest(AContext.data); // yes, so off to VCL
    postMessage(self.handle,WM_SERVERCHECKDIGEST,0,integer(headerMess));
    headerMess.wait; // wait for main thread to check auth against
edits/memos
    if (headerMess.FdigestOK) then // was it OK?
    begin
      AResponseInfo.ResponseNo:=200;  // yes- send OK
      AResponseInfo.ContentStream:=headerMess.FpageStream; // and XML page
      AResponseInfo.FreeContentStream:=true;
    end
    else
      begin
        AResponseInfo.ResponseNo:=403;  // no, so show failure
        AResponseInfo.ResponseText:='Forbidden';
      end;
  end
  else
    begin   // not an auth attempt, so send client Digest/nonce
      transactionPool.pop(@headerMess,INFINITE);
      headerMess.postHeaders.Assign(ARequestInfo.RawHeaders);
      postMessage(self.handle,WM_SERVERGETNONCE,0,integer(headerMess));
      headerMess.wait; // wait for VCL action re. nonce generation
        // then add the resulting 'WWWW-Authentication' header to response
      AResponseInfo.CustomHeaders.AddStrings(headerMess.postHeaders);
      AResponseInfo.ResponseNo:=401;  // you need to authenticate with
Digest
      AResponseInfo.ResponseText:='Unauthorized';
    end;
end;