NSURLSession authentication challenge type disparity between 10.10 and 10.11
| Originator: | jalkut | ||
| Number: | rdar://21918904 | Date Originated: | 21-Jul-2015 09:44 AM |
| Status: | Fixed | Resolved: | 07-Aug-2015 02:50 PM |
| Product: | OS X | Product Version: | 10.11 |
| Classification: | Serious Bug | Reproducible: | Always |
Summary: A data task scheduled with NSURLSession to load from an HTTP Basic Auth protected resource will result in an authentication challenge callback on 10.10 with protectionSpace authenticationMethod "NSURLAuthenticationMethodDefault" while on 10.11 the same code (or importantly, precompiled binary) will result in a challenge that has authenticationMethod "NSURLAuthenticationMethodHTTPBasic". It seems like it was a bug in 10.10 that NSURLAuthenticationMethodDefault was listed as the literal authenticationMethod, but now there is a problem becauses apps that relies upon testing NSURLSession authentication challenges for HTTP Basic on 10.10 must compare the challenge type with "default" while on 10.11 they must compare the challenge type with the more explicit HTTP Basic. I can work around the problem by adding a special case to my own client code that changes the comparison based on OS release version, but is there some way Apple can finesse this so it works as expected for existing apps but also addresses the issue for the longer run? Advice appreciated. Thanks! Steps to Reproduce: 1. Open the attached sample project. 2. Build and run on 10.10. The output is yielded: Got challenge for HTTP Basic Auth endpoint with protection space method: NSURLAuthenticationMethodDefault 3. Archive a binary and run the resuilting binary on 10.11 (to demonstrate the issue with pre-built, already shipped code). The output is yielded: Got challenge for HTTP Basic Auth endpoint with protection space method: NSURLAuthenticationMethodHTTPBasic Expected Results: The protection space method reported by NSURLSession's authentication challenges should be consistent for a given compiled binary. Perhaps a "linked on or after" test should be made for the change in behavior, and documentation should be updated to reflect the caveat that on 10.10.x the challenge will report as NSURLAuthenticationMethodDefault. Actual Results: The protection space method reported is different depending on the OS version being run against. Version: 10.11 Beta (15A216g) Notes: Configuration: Attachments: 'SessionChallengeTest.zip' was successfully uploaded.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
This bug was fixed in OS X 10.11 Beta (15A244d). Pre-existing binaries built on previous systems now obtain the expected protection space method NSURLAuthenticationMethodDefault, matching what has been historically returned. Newer binaries built e.g. against 10.11 SDK obtain the protection space NSURLAuthenticationMethodHTTPBasic, which is probably the more accurate and correct value to compare for.