X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=blobdiff_plain;f=lib%2FCatalyst%2FAuthentication%2FCredential%2FHTTP.pm;h=8d76f6cdcfbeea3dc3f6d0f4ac8ac60bd5b5369d;hb=4b9601dc974a41680352e68a54531962209d9ecc;hp=78f5948ee42d18b2cd7d2a9c49e60437b501c91f;hpb=9a901542eb71c65ee85ff34fd1f2524f182fc306;p=catagits%2FCatalyst-Authentication-Credential-HTTP.git

diff --git a/lib/Catalyst/Authentication/Credential/HTTP.pm b/lib/Catalyst/Authentication/Credential/HTTP.pm
index 78f5948..8d76f6c 100644
--- a/lib/Catalyst/Authentication/Credential/HTTP.pm
+++ b/lib/Catalyst/Authentication/Credential/HTTP.pm
@@ -20,6 +20,7 @@ __PACKAGE__->mk_accessors(qw/
     use_uri_for
     no_unprompted_authorization_required
     require_ssl
+    broken_dotnet_digest_without_query_string
 /);
 
 our $VERSION = '1.014';
@@ -130,7 +131,9 @@ sub authenticate_digest {
         my $algorithm   = $res{algorithm} || 'MD5';
         my $nonce_count = '0x' . $res{nc};
 
-        my $check = $uri eq $res{uri}
+        my $check = ($uri eq $res{uri} ||
+                     ($self->broken_dotnet_digest_without_query_string &&
+                      $c->request->uri->path eq $res{uri}))
           && ( exists $res{username} )
           && ( exists $res{qop} )
           && ( exists $res{cnonce} )
@@ -637,6 +640,15 @@ return a 401 response in your application), and even some automated
 user agents (for APIs) will not send the Authorization header without
 specific manipulation of the request headers.
 
+=item broken_dotnet_digest_without_query_string
+
+Enables support for .NET (or other similarly broken clients), which
+fails to include the query string in the uri in the digest
+Authorization header, contrary to rfc2617.
+
+This option has no effect on clients that include the query string;
+they will continue to work as normal.
+
 =back
 
 =head1 RESTRICTIONS
@@ -675,6 +687,8 @@ Patches contributed by:
 
 =item Devin Austin (dhoss) C<dhoss@cpan.org>
 
+=item Ronald J Kimball
+
 =back
 
 =head1 SEE ALSO