Note: To set default Credentials for any realm that has not been
explicitly specified, pass in null as the value of
@@ -41,7 +42,15 @@
-
To enable preemptive authentication by default for all newly created
+
Preemptive authentication mode also requires default Credentials to be set
+ for the target or proxy host against which preemptive authentication is to be
+ attempted. Failure to provide default credentials will render the preemptive
+ authentication mode ineffective.
+
+
+
+
To enable preemptive authentication by default for all newly created
HttpState's, a system property can be set, as shown below.
@@ -58,6 +67,28 @@
a userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server.
+
+
+
Use default credentials with caution when developing applications
+ that may need to communicate with untrusted web sites or web applications. When
+ preemptive authentication is activated or credentials are not explicitly given
+ for a specific authentication realm and host HttpClient will use default credentials
+ to try to authenticate with the target site. If you want to avoid sending sensitive
+ credentials to an untrusted site, narrow the credentials scope as much as possible:
+ always specify the host and, when known, the realm the credentials are intended for.
+
+
+ Setting credentials with null host and realm values is highly
+ discouraged in production applications. Doing this will result in the credentials
+ being sent for all authentication attempts (all requests in the case of
+ preemptive authentication). Use of this setting should be limited to debugging
+ only.
+
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org