Test Cases for HTTP Test Cases for the HTTP WWW-Authenticate header field

Please send feedback to julian.reschke@gmx.de.

Related Reading

Note: Work-in-progress

Note that several aspects of WWW-Authenticate are currently under discussions which may cause the "expected" results to change (for instance, the requirement for the realm parameter, the requirement to have at least a single parameter, the use of whitespace around the assignment, and the requirement to use quoted-string for realm values). Please join the IETF HTTPbis WG's mailing list to participate.

Furthermore, there's also a new IETF HTTPAuth Working Group, working on updating the specs for Basic and Digest (among other things). See the WG's home page for details.

Browsers Tested

Unless stated otherwise, all tests were executed with the latest release versions of Firefox, Google Chrome, Microsoft Internet Explorer, and Safari on a machine running Windows 7. Konqueror was tested on OpenSuse 11.4. Test versions are included when there was a change related to the test cases.

Test Result Summary

Colors -- Red: Failure, Green: Pass, Yellow: Warning, Grey: Not Supported

Score -- Passes: 2 points, Warning: 1 point, in percent of possible points (this should be updated to count optional features differently)

Test CaseFirefox 28Firefox 29 ("Beta")Microsoft IE 11Safari 5.1Konqueror 4.8.4Google Chrome 32
Summary52% passes, 28% failures, 21% warnings, 0% unsupported, 0% to-do
Score: 62
59% passes, 21% failures, 21% warnings, 0% unsupported, 0% to-do
Score: 69
52% passes, 24% failures, 24% warnings, 0% unsupported, 0% to-do
Score: 64
66% passes, 10% failures, 24% warnings, 0% unsupported, 0% to-do
Score: 78
76% passes, 3% failures, 21% warnings, 0% unsupported, 0% to-do
Score: 86
62% passes, 17% failures, 21% warnings, 0% unsupported, 0% to-do
Score: 72
Basicsimplebasicpasspasspasspasspass
simplebasiclfpassfail (Doesn't see the realm parameter) passpasspass
simplebasicucasepasspasspassfail (misses the realm parameter) pass
simplebasictokwarn (accepts the unquoted form) warn (accepts the unquoted form) warn (accepts the unquoted form) warn (accepts the unquoted form) warn (accepts the unquoted form)
simplebasictokbswarn (accepts the unquoted form) warn (accepts the unquoted form) pass (ignores the challenge) warn (accepts the unquoted form) warn (accepts the unquoted form)
simplebasicsqwarn (detects realm 'foo') warn (detects realm 'foo') warn (detects realm 'foo') warn (detects realm 'foo') fail (detects realm foo)
simplebasicpctpasspasspasspasspass
simplebasiccommapasspasspasspasspass
simplebasiccomma2pass (ignores the header field) pass (ignores the header field) warn (accepts the header field) pass (ignores the header field) pass (ignores the header field)
simplebasicnorealmwarn (accepts the realm-less form) warn (accepts the realm-less form (shows "(null") realm)) warn (accepts the realm-less form, derives the presented value from the host name) warn (accepts the realm-less form, derives the presented value from the host name) warn (accepts the realm-less form)
simplebasic2realmswarn (takes the first realm) warn (takes the first realm) warn (takes the second realm) warn (takes the first realm) warn (takes the second realm)
simplebasicwsrealmpasswarn (accepts the whitespace) warn (accepts the whitespace) passwarn (accepts the whitespace)
simplebasicrealmsqcfail (fails to unescape, thus sees the realm \f\o\o (see Mozilla Bug 676358)) passfail (fails to unescape, thus sees the realm \f\o\o) fail (fails to unescape, thus sees the realm \f\o\o) passpass
simplebasicrealmsqc2fail (fails to unescape, thus sees the realm "\foo\" (see Mozilla Bug 676358)) passfail (fails to unescape, thus sees the realm "\foo\") fail (fails to unescape, thus sees the realm "\foo\") passpass
simplebasicnewparam1passpasspasspasspass
simplebasicnewparam2passpasspasspasspass
simplebasicrealmiso88591passpasspasspasspass
simplebasicrealmutf8pass (displayed as the two raw characters ä) pass (displayed as the two raw characters ä) pass (displayed as the two raw characters ä) pass (displayed as the two raw characters ä) pass (displayed as the two raw characters ä)
simplebasicrealmrfc2047passpasspasspasspass
Multiple Challengesmultibasicunknownpasspasspasspasspass
multibasicunknown2fail (doesn't see the Basic challenge (see Mozilla Bug 669675)) fail (doesn't see the Basic challenge) passpassfail (doesn't see the Basic challenge (see Chrome Issue 103220))
multibasicunknown2mfpasspasspasspasspass
multibasicemptyfail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675)) fail (doesn't see the Basic challenge) fail (doesn't see the Basic challenge) passfail (doesn't see the Basic challenge)
multibasicqsfail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675)) fail (doesn't see the Basic challenge) passpassfail (doesn't see the Basic challenge)
multidisgschemefail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675)) fail (doesn't see the Basic challenge) passpassfail (doesn't see the Basic challenge)
Unknown Schemesunknownpass (Page is displayed, no prompt) pass (Page is displayed, no prompt) pass (Page is displayed, no prompt) pass (Page is displayed, no prompt) pass (Page is displayed, no prompt)
Parsing quirksdisguisedrealmfail (detects realm nottherealm",) passpasspasspass
disguisedrealm2fail (detects realm nottherealm) passpasspasspass
missingquotewarn (detects realm basic) warn (detects realm basic) warn (detects realm basic) warn (detects Basic challenge with no realm) warn (detects realm basic)

Test Cases

Basic

Various tests checking Basic auth.

simplebasic [TEST] [R]

WWW-Authenticate: Basic realm="foo"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo

simplebasiclf [TEST] [R]

WWW-Authenticate: Basic
 realm="foo"
Test Results
FF28pass
FF29pass
MSIE11fail (Doesn't see the realm parameter)
Safaripass
Konqpass
Chr32pass

simple Basic auth, with (deprecated) line folding

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo

simplebasicucase [TEST] [R]

WWW-Authenticate: BASIC REALM="foo"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqfail (misses the realm parameter)
Chr32pass

simple Basic auth (using uppercase characters)

Extracted raw data:

scheme name   parameter name   parameter value   
BASICREALM"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo

simplebasictok [TEST] [R]

WWW-Authenticate: Basic realm=foo
Test Results
FF28warn (accepts the unquoted form)
FF29warn (accepts the unquoted form)
MSIE11warn (accepts the unquoted form)
Safariwarn (accepts the unquoted form)
Konqwarn (accepts the unquoted form)
Chr32warn (accepts the unquoted form)

simple Basic auth, using token format for realm (but see Section 2.2 of draft-ietf-httpbis-p7-auth-22)

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealmfoo

Invalid syntax: parameter 'realm' is defined to only use 'quoted-string' syntax.

simplebasictokbs [TEST] [R]

WWW-Authenticate: Basic realm=\f\o\o
                  ^ (PARSE ERROR)
Test Results
FF28warn (accepts the unquoted form)
FF29warn (accepts the unquoted form)
MSIE11warn (accepts the unquoted form)
Safaripass (ignores the challenge)
Konqwarn (accepts the unquoted form)
Chr32warn (accepts the unquoted form)

simple Basic auth, using token format for realm (but see Section 2.2 of draft-ietf-httpbis-p7-auth-22), including backslashes

simplebasicsq [TEST] [R]

WWW-Authenticate: Basic realm='foo'
Test Results
FF28warn (detects realm 'foo')
FF29warn (detects realm 'foo')
MSIE11warn (detects realm 'foo')
Safariwarn (detects realm 'foo')
Konqwarn (detects realm 'foo')
Chr32fail (detects realm foo)

simple Basic auth, using single quotes (these are allowed in a token, but should not be treated as quote characters)

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm'foo'

Invalid syntax: parameter 'realm' is defined to only use 'quoted-string' syntax.

simplebasicpct [TEST] [R]

WWW-Authenticate: Basic realm="foo%20bar"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth, containing a %-escape (which isn't special here)

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo%20bar"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo%20bar

simplebasiccomma [TEST] [R]

WWW-Authenticate: Basic , realm="foo"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth, with a comma between schema and auth-param

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo

simplebasiccomma2 [TEST] [R]

WWW-Authenticate: Basic, realm="foo"
                  ^ (PARSE ERROR)
Test Results
FF28pass (ignores the header field)
FF29pass (ignores the header field)
MSIE11pass (ignores the header field)
Safariwarn (accepts the header field)
Konqpass (ignores the header field)
Chr32pass (ignores the header field)

simple Basic auth, with a comma between schema and auth-param (this is invalid because of the missing space characters after the scheme name)

simplebasicnorealm [TEST] [R]

WWW-Authenticate: Basic
                  ^ (PARSE ERROR)
Test Results
FF28warn (accepts the realm-less form)
FF29warn (accepts the realm-less form)
MSIE11warn (accepts the realm-less form (shows "(null") realm))
Safariwarn (accepts the realm-less form, derives the presented value from the host name)
Konqwarn (accepts the realm-less form, derives the presented value from the host name)
Chr32warn (accepts the realm-less form)

simple Basic auth, realm parameter missing

simplebasic2realms [TEST] [R]

WWW-Authenticate: Basic realm="foo", realm="bar"
Test Results
FF28warn (takes the first realm)
FF29warn (takes the first realm)
MSIE11warn (takes the first realm)
Safariwarn (takes the second realm)
Konqwarn (takes the first realm)
Chr32warn (takes the second realm)

simple Basic auth with two realm parameters

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo"
realm"bar"

Invalid syntax: parameter 'realm' needs to appear exactly once for 'basic' challenge.

simplebasicwsrealm [TEST] [R]

WWW-Authenticate: Basic realm = "foo"
                  ^ (PARSE ERROR)
Test Results
FF28pass
FF29pass
MSIE11warn (accepts the whitespace)
Safariwarn (accepts the whitespace)
Konqpass
Chr32warn (accepts the whitespace)

simple Basic auth, whitespace used in auth-param assignment (but see HTTPbis WG Ticket 287)

simplebasicrealmsqc [TEST] [R]

WWW-Authenticate: Basic realm="\f\o\o"
Test Results
FF28fail (fails to unescape, thus sees the realm \f\o\o (see Mozilla Bug 676358))
FF29pass
MSIE11fail (fails to unescape, thus sees the realm \f\o\o)
Safarifail (fails to unescape, thus sees the realm \f\o\o)
Konqpass
Chr32pass

simple Basic auth, with realm using quoted string escapes

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"\f\o\o"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo

simplebasicrealmsqc2 [TEST] [R]

WWW-Authenticate: Basic realm="\"foo\""
Test Results
FF28fail (fails to unescape, thus sees the realm "\foo\" (see Mozilla Bug 676358))
FF29pass
MSIE11fail (fails to unescape, thus sees the realm "\foo\")
Safarifail (fails to unescape, thus sees the realm "\foo\")
Konqpass
Chr32pass

simple Basic auth, with realm using quoted string escapes

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"\"foo\""

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealm"foo"

simplebasicnewparam1 [TEST] [R]

WWW-Authenticate: Basic realm="foo", bar="xyz",, a=b,,,c=d
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth, with additional auth-params

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo"
bar"xyz"
ab
cd

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo
barxyz
ab
cd

simplebasicnewparam2 [TEST] [R]

WWW-Authenticate: Basic bar="xyz", realm="foo"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth, with an additional auth-param (but with reversed order)

Extracted raw data:

scheme name   parameter name   parameter value   
Basicbar"xyz"
realm"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicbarxyz
realmfoo

simplebasicrealmiso88591 [TEST] [R]

WWW-Authenticate: Basic realm="foo-"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth, using "a umlaut" character encoded using ISO-8859-1

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo-"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo-

simplebasicrealmutf8 [TEST] [R]

WWW-Authenticate: Basic realm="foo-ä"
Test Results
FF28pass (displayed as the two raw characters ä)
FF29pass (displayed as the two raw characters ä)
MSIE11pass (displayed as the two raw characters ä)
Safaripass (displayed as the two raw characters ä)
Konqpass (displayed as the two raw characters ä)
Chr32pass (displayed as the two raw characters ä)

simple Basic auth, using "a umlaut" character encoded using UTF-8

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"foo-ä"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmfoo-ä

simplebasicrealmrfc2047 [TEST] [R]

WWW-Authenticate: Basic realm="=?ISO-8859-1?Q?foo-=E4?="
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

simple Basic auth, using "a umlaut" character encoded using RFC 2047

RFC 2047 does not apply to quoted-strings, so the realm really is =?ISO-8859-1?Q?foo-=E4?=

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"=?ISO-8859-1?Q?foo-=E4?="

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealm=?ISO-8859-1?Q?foo-=E4?=

Multiple Challenges

Various tests checking multiple challenges.

multibasicunknown [TEST] [R]

WWW-Authenticate: Basic realm="basic", Newauth realm="newauth"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

a header field containing two challenges, one of which unknown

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"basic"
scheme name   parameter name   parameter value   
Newauthrealm"newauth"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmbasic

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
newauthrealmnewauth

multibasicunknown2 [TEST] [R]

WWW-Authenticate: Newauth realm="newauth", Basic realm="basic"
Test Results
FF28fail (doesn't see the Basic challenge (see Mozilla Bug 669675))
FF29fail (doesn't see the Basic challenge (see Mozilla Bug 669675))
MSIE11fail (doesn't see the Basic challenge)
Safaripass
Konqpass
Chr32fail (doesn't see the Basic challenge (see Chrome Issue 103220))

as above, but with challenges swapped

Extracted raw data:

scheme name   parameter name   parameter value   
Newauthrealm"newauth"
scheme name   parameter name   parameter value   
Basicrealm"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
newauthrealmnewauth

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmbasic

multibasicunknown2mf [TEST] [R]

WWW-Authenticate: Newauth realm="newauth"
WWW-Authenticate: Basic realm="basic"
Test Results
FF28pass
FF29pass
MSIE11pass
Safaripass
Konqpass
Chr32pass

as above, but using two header fields

Extracted raw data:

scheme name   parameter name   parameter value   
Newauthrealm"newauth"
scheme name   parameter name   parameter value   
Basicrealm"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
newauthrealmnewauth

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmbasic

multibasicempty [TEST] [R]

WWW-Authenticate: ,Basic realm="basic"
Test Results
FF28fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
FF29fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
MSIE11fail (doesn't see the Basic challenge)
Safarifail (doesn't see the Basic challenge)
Konqpass
Chr32fail (doesn't see the Basic challenge)

a header field containing one Basic challenge, following an empty one

Extracted raw data:

scheme name   parameter name   parameter value   
Basicrealm"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmbasic

multibasicqs [TEST] [R]

WWW-Authenticate: Newauth realm="apps", type=1, title="Login to \"apps\"", Basic realm="simple" 
Test Results
FF28fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
FF29fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
MSIE11fail (doesn't see the Basic challenge)
Safaripass
Konqpass
Chr32fail (doesn't see the Basic challenge)

a header field containing two challenges, the first one for a new scheme and having a parameter using quoted-string syntax

Extracted raw data:

scheme name   parameter name   parameter value   
Newauthrealm"apps"
type1
title"Login to \"apps\""
scheme name   parameter name   parameter value   
Basicrealm"simple"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
newauthrealmapps
type1
titleLogin to "apps"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmsimple

multidisgscheme [TEST] [R]

WWW-Authenticate: Newauth realm="Newauth Realm", basic=foo, Basic realm="Basic Realm" 
Test Results
FF28fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
FF29fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
MSIE11fail (doesn't see the Basic challenge)
Safaripass
Konqpass
Chr32fail (doesn't see the Basic challenge)

a header field containing two challenges, the first one for a new scheme and having a parameter called "Basic"

Extracted raw data:

scheme name   parameter name   parameter value   
Newauthrealm"Newauth Realm"
basicfoo
scheme name   parameter name   parameter value   
Basicrealm"Basic Realm"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
newauthrealmNewauth Realm
basicfoo

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicrealmBasic Realm

Unknown Schemes

Tests for how unknown schemes are handled.

unknown [TEST] [R]

WWW-Authenticate: Newauth realm="newauth"
Test Results
FF28pass (Page is displayed, no prompt)
FF29pass (Page is displayed, no prompt)
MSIE11pass (Page is displayed, no prompt)
Safaripass (Page is displayed, no prompt)
Konqpass (Page is displayed, no prompt)
Chr32pass (Page is displayed, no prompt)

a header field containing a challenge for an unknown scheme

Extracted raw data:

scheme name   parameter name   parameter value   
Newauthrealm"newauth"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
newauthrealmnewauth

Parsing quirks

Tests for how tricky header fields are parsed.

disguisedrealm [TEST] [R]

WWW-Authenticate: Basic foo="realm=nottherealm", realm="basic"
Test Results
FF28fail (detects realm nottherealm",)
FF29fail (detects realm nottherealm",)
MSIE11pass
Safaripass
Konqpass
Chr32pass

a header field containing a Basic challenge, with a quoted-string extension param that happens to contain the string "realm="

Extracted raw data:

scheme name   parameter name   parameter value   
Basicfoo"realm=nottherealm"
realm"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicfoorealm=nottherealm
realmbasic

disguisedrealm2 [TEST] [R]

WWW-Authenticate: Basic nottherealm="nottherealm", realm="basic"
Test Results
FF28fail (detects realm nottherealm)
FF29fail (detects realm nottherealm)
MSIE11pass
Safaripass
Konqpass
Chr32pass

a header field containing a Basic challenge, with a preceding extension param named "nottherealm"

Extracted raw data:

scheme name   parameter name   parameter value   
Basicnottherealm"nottherealm"
realm"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name   parameter name   parameter value   
basicnottherealmnottherealm
realmbasic

missingquote [TEST] [R]

WWW-Authenticate: Basic realm="basic
                  ^ (PARSE ERROR)
Test Results
FF28warn (detects realm basic)
FF29warn (detects realm basic)
MSIE11warn (detects realm basic)
Safariwarn (detects realm basic)
Konqwarn (detects Basic challenge with no realm)
Chr32warn (detects realm basic)

a header field containing a Basic challenge, with a realm missing the second double quote

Test Case Generation

Both this document and the indiviual test "scripts" are generated from one single XML source (httpauth.xml), using an XSLT2 transformation (httpauth.xslt).

To generate the files, an XSLT2 processor such as Saxon 9 is needed. Copy both files into an empty directory, then run:

saxon9 httpauth.xml httpauth.xslt > index.html

Note that this will also generate a set of "*.asis" and "nph-*.cgi" files that contain the actual test cases. The "*.asis" files need to be served using the Apache httpd mod_asis module.