Password-Protected RSS Challenge

[More updates from comments.]

[Update: many more results, collected from comments. It looks like nearly every feed reader can handle at least HTTP basic authentication, which is good news for people planning to use RSS and Atom in government or enterprise.]

I’ve uploaded a small, static RSS file at The file is valid RSS 2.0 (or 2.01, if you prefer), and is served with the MIME type application/xml.

Here’s the kicker — it’s password-protected, using HTTP basic authentication. The username and password are both “guest”. Can your RSS software or webapp read this feed? Here’s what I’ve tested so far:

Prompts for a username and password, and stores the password on disk as clear text.
Reports no feed found. However, will read the RSS file if the username and password are encoded in the URL, i.e.
Reports a 401 HTTP error (authorization required). Strips the username and password from the URL if they are provided.

Here are results gathered by others and left as comments for this posting:

Antone Roundy reports success when the configuration line CarpConf(’basicauth’,'guest:guest’); is included. I am not certain if that line would apply to all feeds, or just to this one.
Bill de hOra reports success both with this sample and with password-protected https feeds at his workplace.
Dan Sholler reports success.
Tim Howland and John Cowan both report success, since Sage uses the browser’s built-in authentication support. M. David Peterson points out that anything built on top of Mozilla/Firefox or MSIE should work.
Peter Lacey reports success.
Christof Hoeke reports success.
Ryan King reports success.
Roland Kaufmann reports partial success (with the username and password embedded in the URL).
Robert Sharl reports success (though iTunes reports an error due to the lack of an audio enclosure).
Rijk van Geijtenbeek reports success.
KDE Akregator

Douglas reports success.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

27 Responses to Password-Protected RSS Challenge

  1. CaRP fails if you don’t enter authentication credentials (incorrectly reporting an XML parsing error–the next version will be a proper HTTP client and report the 401!), but succeeds if you include this configuration line in your code: CarpConf(‘basicauth’,’guest:guest’);

  2. Bill de hOra says:

    FeedDemon will work with this (we have a few password+https protected feeds in work)

  3. Dan Sholler says:

    Looks like it works OK in RSSBandit.

  4. For what its worth both Firefox/Mozilla and IE access the feed, first asking for the username and password. While this technically means diddly as it doesn’t use the test you suggested, it does lend well to the idea of using the browser for validation to then pass these credentials to a default application that determines if this is an RSS or Atom feed and, if yes, renders the feed.

    I guess my point in bringing this up is that it seems we should be using existing mechanisms that we know work and work well to accomplish particular tasks, like handling http logins, storing the username and password as part of our clients-side browser profiles. Not that we can or even should expect this to happen… but one can always dream 🙂

  5. Tim Howland says:

    Sage works fine, using the browser’s built in mechanisms for basic auth.

  6. John Cowan says:

    I tested it in Sage, which is a Firefox extension that I normally use for feedreading (I like it better than the built-in Firefox live bookmarks). It prompted me for username and password when I added the feed, and remembered them until the Firefox process terminates, as you’d expect.

    Do the actual entries really 404? That’s what FF is telling me.

  7. Pingback: netzooid

  8. Peter Lacey says:

    Works perfectly in NewsFire. Entries are readable too.

  9. Christof Hoeke says:

    Using Thunderbird as a simple RSS reader does work, it asks for user/pw and goes from there. I don’t know if the pw is saved in plaintext but reckon it saves it the same as other passwords too.

  10. ryan king says:

    NetNewsWire works.

  11. SharpReader seems to handle the link fine (at least as of version, both with username and password encoded in the URL and with an interactive prompt.

  12. Robert Sharl says:

    Works fine in Safari 2.0 on Mac OS X 10.4 Tiger. Just like accessing a protected domain on any webserver.


  13. Robert Sharl says:

    Even better, iTunes handles the authentication too! It reports an error since there are no audio enclosures, but it seems to work.. If you’d like to add an audio enclosure to one of the entries we could see if it handles that ok.


  14. Rijk says:

    Works fine in Opera as well.

  15. Douglas says:

    KDE’s built-in RSS reader, Akregator, works fine also.

  16. Pingback: Quoderat » SSL/TLS RSS Challenge

  17. Ben Hyde says:

    NetNewsWire Lite 2.0.1 also works, prompts for user name and password as it does the first fetch and squirrels them away on the MacOS keychain.

  18. ryan king says:

    BTW, you’re not the first person to do such a survey. You might want to take a look at this.

  19. Works fine in our brandable RSS reader

  20. yoavos says:

    Newsgator asks for credentials and then works well. The new google RSS reader reports an error..

  21. kelly says:

    Works fine in Safari 2.0 on Mac OS X 10.4 Tiger. Just like accessing a protected domain on any webserver.

  22. Sven says:

    I tried 401 basic authentification on exclusively one episode in my RSS-Feed with enclosures. iTunes asks for Username/Password. Some iTunes clients (windows/6.02) now download this episode over and over again. Others don’t. Any ideas?

  23. Rain says:

    Could someone tell me how to use this with livejournal and FeedDemon? I’m struggling with it like crazy and would really LOVE to know how to do it.

  24. Shipra says:

    Syntax for passing User name and password in RSS Feed

  25. Shipra says:

    What is error which it gives ,if the RSS URL is Password Protected?

  26. david says:

    The error depends on the feed reader, but no matter what, it won’t be able to see the RSS and display the feed.

Comments are closed.