[squeak-dev] SqueakSource question

Andreas Raab andreas.raab at gmx.de
Tue Feb 23 18:01:50 UTC 2010

Hi -

I'm just playing with a nicer HTTP client implementation (intended to 
replace our horrible HTTPSocket nightmare) and while testing it I ran 
afoul about a particularly odd behavior on squeaksource:

When you have a private project (i.e., global no access) SqueakSource 
doesn't ask for authentication when trying to access the repository. For 
example, go to the link of the following project:


This will net you with a page that doesn't list any of the projects but 
also doesn't ask for authentication. When you access such a repository 
via Monticello (with set username/password) Monticello will -in 
collusion with HTTPSocket- proactively send your username + password for 
access to the repository.

Which is fine, except ... pretty much the only way one can proactively 
do authentication in http is by basic auth. Which is something that I'm 
absolutely not fond of because it's transmitting your password pretty 
much in plain text, obfuscated as base64. Ouch.

I'd really, really like to avoid adding a specific hack to the client 
interface to send a basic auth header proactively for basic auth if 
there's *any* way to fix this properly.

Is there anyone here who has an  understanding of what it would take to 
fix that problem? I.e., access to a private repository (like 
http://www.squeaksource.com/Secret/) SHOULD result in a 401 
Unauthorized, allowing the client to provide proper credentials.

Any insights are welcome.

   - Andreas

More information about the Squeak-dev mailing list