[More updates from comments.]
[Update: many more results, collected from comments. It looks like nearly every feed reader can handle at least HTTP basic authentication, which is good news for people planning to use RSS and Atom in government or enterprise.]
I’ve uploaded a small, static RSS file at http://www.megginson.com/test/blog.rss. The file is valid RSS 2.0 (or 2.01, if you prefer), and is served with the MIME type application/xml.
Here’s the kicker — it’s password-protected, using HTTP basic authentication. The username and password are both “guest”. Can your RSS software or webapp read this feed? Here’s what I’ve tested so far:
- Liferea
- Prompts for a username and password, and stores the password on disk as clear text.
- Bloglines
- Reports no feed found. However, will read the RSS file if the username and password are encoded in the URL, i.e.
http://guest:guest@www.megginson.com/test/blog.rss - FeedValidator
- Reports a 401 HTTP error (authorization required). Strips the username and password from the URL if they are provided.
Here are results gathered by others and left as comments for this posting:
- CaRP
- Antone Roundy reports success when the configuration line
CarpConf(’basicauth’,'guest:guest’);is included. I am not certain if that line would apply to all feeds, or just to this one. - FeedDemon
- Bill de hOra reports success both with this sample and with password-protected https feeds at his workplace.
- RSSBandit
- Dan Sholler reports success.
- Sage
- Tim Howland and John Cowan both report success, since Sage uses the browser’s built-in authentication support. M. David Peterson points out that anything built on top of Mozilla/Firefox or MSIE should work.
- NewsFire
- Peter Lacey reports success.
- Thunderbird
- Christof Hoeke reports success.
- NetNewsWire
- Ryan King reports success.
- SharpReader
- Roland Kaufmann reports partial success (with the username and password embedded in the URL).
- iTunes
- Robert Sharl reports success (though iTunes reports an error due to the lack of an audio enclosure).
- Opera
- Rijk van Geijtenbeek reports success.
- KDE Akregator
- Douglas reports success.
Quoderat 
CaRP fails if you don’t enter authentication credentials (incorrectly reporting an XML parsing error–the next version will be a proper HTTP client and report the 401!), but succeeds if you include this configuration line in your code: CarpConf(‘basicauth’,’guest:guest’);
FeedDemon will work with this (we have a few password+https protected feeds in work)
Looks like it works OK in RSSBandit.
For what its worth both Firefox/Mozilla and IE access the feed, first asking for the username and password. While this technically means diddly as it doesn’t use the test you suggested, it does lend well to the idea of using the browser for validation to then pass these credentials to a default application that determines if this is an RSS or Atom feed and, if yes, renders the feed.
I guess my point in bringing this up is that it seems we should be using existing mechanisms that we know work and work well to accomplish particular tasks, like handling http logins, storing the username and password as part of our clients-side browser profiles. Not that we can or even should expect this to happen… but one can always dream 🙂
Sage works fine, using the browser’s built in mechanisms for basic auth.
I tested it in Sage, which is a Firefox extension that I normally use for feedreading (I like it better than the built-in Firefox live bookmarks). It prompted me for username and password when I added the feed, and remembered them until the Firefox process terminates, as you’d expect.
Do the actual entries really 404? That’s what FF is telling me.
Pingback: netzooid
Works perfectly in NewsFire. Entries are readable too.
Using Thunderbird as a simple RSS reader does work, it asks for user/pw and goes from there. I don’t know if the pw is saved in plaintext but reckon it saves it the same as other passwords too.
NetNewsWire works.
SharpReader seems to handle the link fine (at least as of version 0.9.6.0), both with username and password encoded in the URL and with an interactive prompt.
Works fine in Safari 2.0 on Mac OS X 10.4 Tiger. Just like accessing a protected domain on any webserver.
Robert
Even better, iTunes handles the authentication too! It reports an error since there are no audio enclosures, but it seems to work.. If you’d like to add an audio enclosure to one of the entries we could see if it handles that ok.
Robert
Works fine in Opera as well.
KDE’s built-in RSS reader, Akregator, works fine also.
-dr
Pingback: Quoderat » SSL/TLS RSS Challenge
NetNewsWire Lite 2.0.1 also works, prompts for user name and password as it does the first fetch and squirrels them away on the MacOS keychain.
BTW, you’re not the first person to do such a survey. You might want to take a look at this.
Works fine in our brandable RSS reader
Newsgator asks for credentials and then works well. The new google RSS reader reports an error..
001
Works fine in Safari 2.0 on Mac OS X 10.4 Tiger. Just like accessing a protected domain on any webserver.
I tried 401 basic authentification on exclusively one episode in my RSS-Feed with enclosures. iTunes asks for Username/Password. Some iTunes clients (windows/6.02) now download this episode over and over again. Others don’t. Any ideas?
Could someone tell me how to use this with livejournal and FeedDemon? I’m struggling with it like crazy and would really LOVE to know how to do it.
Syntax for passing User name and password in RSS Feed
What is error which it gives ,if the RSS URL is Password Protected?
The error depends on the feed reader, but no matter what, it won’t be able to see the RSS and display the feed.