Bug 134067

Summary: No way to handle HTTP Authentication with WKWebView
Product: WebKit Reporter: Anders Carlsson <andersca>
Component: New BugsAssignee: Anders Carlsson <andersca>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, mitz, rniwa
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch mitz: review+

Description Anders Carlsson 2014-06-19 11:12:16 PDT
No way to handle HTTP Authentication with WKWebView
Comment 1 Anders Carlsson 2014-06-19 11:13:15 PDT
Created attachment 233368 [details]
Patch
Comment 2 Anders Carlsson 2014-06-19 11:50:46 PDT
Created attachment 233371 [details]
Patch
Comment 3 mitz 2014-06-19 12:15:11 PDT
Comment on attachment 233371 [details]
Patch

Nice writeup
Comment 4 mitz 2014-06-19 12:33:29 PDT
<rdar://problem/17317874>
Comment 5 Anders Carlsson 2014-06-19 12:51:35 PDT
Committed r170157: <http://trac.webkit.org/changeset/170157>
Comment 6 Ryosuke Niwa 2014-06-21 00:14:24 PDT
Looks like this patch caused a build failure on commit queue. I've posted a patch on https://bugs.webkit.org/show_bug.cgi?id=134152.
Comment 7 Alexey Proskuryakov 2014-06-22 23:35:28 PDT
Does this support all kinds of challenges, or only username/password?

I'm thinking of finally reenabling HTTPS regression tests in WKTR - to do this, we need to handle server trust auth.
Comment 8 mitz 2014-06-22 23:47:16 PDT
(In reply to comment #7)
> Does this support all kinds of challenges, or only username/password?

It supports username/password and client certificate authentication, but not server trust, which is why the “can authenticate” client function returns false for server trust.

> I'm thinking of finally reenabling HTTPS regression tests in WKTR - to do this, we need to handle server trust auth.

I looked into enabling server trust authentication a couple of times, and each time my conclusion was that Security and CFNetwork are missing the API needed for that.
Comment 9 Alexey Proskuryakov 2014-06-22 23:53:57 PDT
Is there a bug tracking the missing API?

From looking at <https://developer.apple.com/library/Mac/documentation/Cocoa/Conceptual/URLLoadingSystem/Articles/AuthenticationChallenges.html>, it appears that we should simply return YES from canAuthenticate..., and then pass [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] to useCredential. It seemed to me that we lose the ability to do so at WebKit2 layer.
Comment 10 mitz 2014-06-23 00:06:19 PDT
(In reply to comment #9)
> Is there a bug tracking the missing API?
> 
> From looking at <https://developer.apple.com/library/Mac/documentation/Cocoa/Conceptual/URLLoadingSystem/Articles/AuthenticationChallenges.html>, it appears that we should simply return YES from canAuthenticate..., and then pass [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] to useCredential. It seemed to me that we lose the ability to do so at WebKit2 layer.

It’s been a few days since I last looked at it, so I am not sure I remember correctly, but I seem to remember that the issues were: server trust is a write-only property of a NSURLCredential and a read-only property of a NSURLProtectionSpace.
Comment 11 mitz 2014-07-26 23:31:38 PDT
(In reply to comment #10)
> (In reply to comment #9)
> > Is there a bug tracking the missing API?
> > 
> > From looking at <https://developer.apple.com/library/Mac/documentation/Cocoa/Conceptual/URLLoadingSystem/Articles/AuthenticationChallenges.html>, it appears that we should simply return YES from canAuthenticate..., and then pass [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] to useCredential. It seemed to me that we lose the ability to do so at WebKit2 layer.
> 
> It’s been a few days since I last looked at it, so I am not sure I remember correctly, but I seem to remember that the issues were: server trust is a write-only property of a NSURLCredential and a read-only property of a NSURLProtectionSpace.

We now use the platform encoding of NSURLProtectionSpace, and we’ll be able to support server trust authentication if we do the same for NSURLCredential. I filed bug 135327.