Quoderat

« Aspects
Something for nothing »

Password-Protected RSS Challenge

July 29th, 2005

[More updates from comments.]

[Update: many more results, collected from comments. It looks like nearly every feed reader can handle at least HTTP basic authentication, which is good news for people planning to use RSS and Atom in government or enterprise.]

I’ve uploaded a small, static RSS file at http://www.megginson.com/test/blog.rss. The file is valid RSS 2.0 (or 2.01, if you prefer), and is served with the MIME type application/xml.

Here’s the kicker — it’s password-protected, using HTTP basic authentication. The username and password are both “guest”. Can your RSS software or webapp read this feed? Here’s what I’ve tested so far:

Liferea
Prompts for a username and password, and stores the password on disk as clear text.
Bloglines
Reports no feed found. However, will read the RSS file if the username and password are encoded in the URL, i.e. http://guest:guest@www.megginson.com/test/blog.rss
FeedValidator
Reports a 401 HTTP error (authorization required). Strips the username and password from the URL if they are provided.

Here are results gathered by others and left as comments for this posting:

CaRP
Antone Roundy reports success when the configuration line CarpConf(’basicauth’,'guest:guest’); is included. I am not certain if that line would apply to all feeds, or just to this one.
FeedDemon
Bill de hOra reports success both with this sample and with password-protected https feeds at his workplace.
RSSBandit
Dan Sholler reports success.
Sage
Tim Howland and John Cowan both report success, since Sage uses the browser’s built-in authentication support. M. David Peterson points out that anything built on top of Mozilla/Firefox or MSIE should work.
NewsFire
Peter Lacey reports success.
Thunderbird
Christof Hoeke reports success.
NetNewsWire
Ryan King reports success.
SharpReader
Roland Kaufmann reports partial success (with the username and password embedded in the URL).
iTunes
Robert Sharl reports success (though iTunes reports an error due to the lack of an audio enclosure).
Opera
Rijk van Geijtenbeek reports success.
KDE Akregator

Douglas reports success.

This entry was posted on Friday, July 29th, 2005 at 02:00:25 and is filed under blogging, web. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

27 Responses to “Password-Protected RSS Challenge”

  1. Antone Roundy Says:
    July 29th, 2005 at 02:24:45

    CaRP fails if you don’t enter authentication credentials (incorrectly reporting an XML parsing error–the next version will be a proper HTTP client and report the 401!), but succeeds if you include this configuration line in your code: CarpConf(’basicauth’,'guest:guest’);

  2. Bill de hOra Says:
    July 29th, 2005 at 02:29:02

    FeedDemon will work with this (we have a few password+https protected feeds in work)

  3. Dan Sholler Says:
    July 29th, 2005 at 02:57:22

    Looks like it works OK in RSSBandit.

  4. M. David Peterson Says:
    July 29th, 2005 at 03:14:22

    For what its worth both Firefox/Mozilla and IE access the feed, first asking for the username and password. While this technically means diddly as it doesn’t use the test you suggested, it does lend well to the idea of using the browser for validation to then pass these credentials to a default application that determines if this is an RSS or Atom feed and, if yes, renders the feed.

    I guess my point in bringing this up is that it seems we should be using existing mechanisms that we know work and work well to accomplish particular tasks, like handling http logins, storing the username and password as part of our clients-side browser profiles. Not that we can or even should expect this to happen… but one can always dream :)

  5. Tim Howland Says:
    July 29th, 2005 at 03:20:17

    Sage works fine, using the browser’s built in mechanisms for basic auth.

  6. John Cowan Says:
    July 29th, 2005 at 04:07:22

    I tested it in Sage, which is a Firefox extension that I normally use for feedreading (I like it better than the built-in Firefox live bookmarks). It prompted me for username and password when I added the feed, and remembered them until the Firefox process terminates, as you’d expect.

    Do the actual entries really 404? That’s what FF is telling me.

  7. netzooid Says:
    July 29th, 2005 at 04:48:45

    Secured RSS

    Will your feed reader work with a username and password?

    I’ve take an approach in one of my applications where I generate a GUID and only allow HTTPS requests. So something like…

  8. Peter Lacey Says:
    July 29th, 2005 at 09:22:12

    Works perfectly in NewsFire. Entries are readable too.

  9. Christof Hoeke Says:
    July 30th, 2005 at 04:27:52

    Using Thunderbird as a simple RSS reader does work, it asks for user/pw and goes from there. I don’t know if the pw is saved in plaintext but reckon it saves it the same as other passwords too.

  10. ryan king Says:
    July 30th, 2005 at 01:03:03

    NetNewsWire works.

  11. Roland Kaufmann Says:
    July 30th, 2005 at 02:39:54

    SharpReader seems to handle the link fine (at least as of version 0.9.6.0), both with username and password encoded in the URL and with an interactive prompt.

  12. Robert Sharl Says:
    August 2nd, 2005 at 04:30:11

    Works fine in Safari 2.0 on Mac OS X 10.4 Tiger. Just like accessing a protected domain on any webserver.

    Robert

  13. Robert Sharl Says:
    August 2nd, 2005 at 04:32:58

    Even better, iTunes handles the authentication too! It reports an error since there are no audio enclosures, but it seems to work.. If you’d like to add an audio enclosure to one of the entries we could see if it handles that ok.

    Robert

  14. Rijk Says:
    August 6th, 2005 at 09:20:13

    Works fine in Opera as well.

  15. Douglas Says:
    August 15th, 2005 at 05:41:16

    KDE’s built-in RSS reader, Akregator, works fine also.
    -dr

  16. Quoderat » SSL/TLS RSS Challenge Says:
    August 20th, 2005 at 08:38:29

    [...] Thanks to everyone who posted comments on my Password-Protected RSS challenge three weeks ago. It turned out that the vast majority of feed readers can handle HTTP basic authentication for feeds. [...]

  17. Ben Hyde Says:
    August 20th, 2005 at 09:05:26

    NetNewsWire Lite 2.0.1 also works, prompts for user name and password as it does the first fetch and squirrels them away on the MacOS keychain.

  18. ryan king Says:
    September 12th, 2005 at 07:06:53

    BTW, you’re not the first person to do such a survey. You might want to take a look at this.

  19. Custom Reader Says:
    September 23rd, 2005 at 05:48:35

    Works fine in our brandable RSS reader

  20. yoavos Says:
    September 27th, 2005 at 04:56:50

    Newsgator asks for credentials and then works well. The new google RSS reader reports an error..

  21. mortgages Says:
    November 8th, 2005 at 10:56:51

    001

  22. kelly Says:
    December 27th, 2005 at 04:19:07

    Works fine in Safari 2.0 on Mac OS X 10.4 Tiger. Just like accessing a protected domain on any webserver.

  23. Sven Says:
    March 28th, 2006 at 03:09:12

    I tried 401 basic authentification on exclusively one episode in my RSS-Feed with enclosures. iTunes asks for Username/Password. Some iTunes clients (windows/6.02) now download this episode over and over again. Others don’t. Any ideas?

  24. Rain Says:
    July 17th, 2006 at 12:49:11

    Could someone tell me how to use this with livejournal and FeedDemon? I’m struggling with it like crazy and would really LOVE to know how to do it.

  25. Shipra Says:
    September 5th, 2006 at 05:20:25

    Syntax for passing User name and password in RSS Feed

  26. Shipra Says:
    September 5th, 2006 at 05:21:35

    What is error which it gives ,if the RSS URL is Password Protected?

  27. david Says:
    September 5th, 2006 at 06:02:32

    The error depends on the feed reader, but no matter what, it won’t be able to see the RSS and display the feed.