There is a bug in the linksys router (eg. WRT54G) and using Safari to configure through the web interface. Safari will immediately display the 401 Unauthorized page instead of requesting the user for authentication information. It appears that the router has no realm sent with the WWW-Authenticate header. The HTTP/1.0 Specification states that "The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge." however browsers such as Firefox and IE both handle this missing realm while Safari fails. A example response from the Linksys router is HTTP/1.0 401 Unauthorized Server: httpd Date: Wed, 23 Nov 2005 22:17:20 GMT WWW-Authenticate: Basic Content-Type: text/html Connection: close <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD> <BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4> Authorization required. </BODY></HTML> The correct WWW-Authenticate header should be WWW-Authenticate: Basic realm="realm name" I found a past report on http://www.macfixit.com/article.php?story=20040116073545527.
After futher investigation this appears to be a "problem" with NSURLConnection. With some test code the delegate method "didReceiveAuthenticationChallenge" is never called. Is this a bug that should be reported to Apple? No other browsers fail when a authentication realm is not set in the HTTP headers.
Reassigning to webkit-unassigned, to make sure more people see this.
Confirmed as a lot of people in the refered url seem to have this problem.
See also Bug 13600.
If the WWW-Authenticate header does not supply a realm then NSURLConnection does not perform any authentication. The linksys router have disabled the realm string being sent in their version of the LightHTTPd code. I fixed the linksys issue by fixing the offending line in their source and recompiling (LightHTTPd source is fine, Linksys have just commented out lines in their version) Both Firefox and IE work when a realm is not set (Even though this appears to be against spec) See: http://www.ietf.org/rfc/rfc2617.txt [" The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge."]
*** Bug 13600 has been marked as a duplicate of this bug. ***
<rdar://problem/5289792>
Closing as INVALID, as the issue is not in open source WebKit. It will be handled internally by Apple engineers.