commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adrian Sutton <>
Subject RE: [HttpClient] Authentication using Basic
Date Wed, 11 Dec 2002 23:30:32 GMT
Currently there isn't, however we probably should be more intelligent about
falling back to other authentication schemes based on the type of
credentials provided.  Having said this I'm not sure it conforms to the HTTP
spec strictly (which states that the client must use the strongest
authentication scheme it supports, there's a grey area here because if your
application doesn't provide a dialog or similar for the user to enter NTLM
credentials it can only support basic or digest authentication, despite
HTTPClient supporting NTLM).

What I'd like to see happen is:

When NTLM authentication is requested as top priority but only
UsernamePasswordCredentials are available instead of NTLMCredentials we fall
back to one of the other schemes.  In general this would mean that:

if an authentication scheme is requested and a credentials object of the
wrong type is provided, HTTPClient should assume (probably optionally or
only in non-strict mode) that the requested authentication scheme is not
supported and fall through to other options.

Achieving this would require a reasonably amount of refactoring of the
Authenticator class but shouldn't be impossible.  Unfortunately I don't have
time to do it myself at the moment but I'd be happy to help out if you felt
like doing it, otherwise logging an enhancement bug in Bugzilla would be a
good way to record this request until someone has time to actually implement

Adrian Sutton, Software Engineer
Ephox Corporation

-----Original Message-----
From: Gustafson, Vicki []
Sent: Thursday, 12 December 2002 5:03 AM
To: Jakarta Commons Users List
Subject: [HttpClient] Authentication using Basic

sorry forgot the project specificaiton....

Is there a way to specify which authentication scheme you would like the
client to use if several schemes are returned in the www-auth header?

I'm performing a simple post using the httpClient.  The server returns a 401
at which point the httpClient tries to authenticate with the server.  The
following header is received:

Attempting to parse authenticate header: 'WWW-Authenticate: Negotiate, NTLM,
Basic realm="XXXwhateverXXX"

I need to authenticate using Basic, but the Authenticator class will only
try the most secure scheme:  NTLM.  Is there a setting or parameter I can
set to force the httpClient to use Basic?


// determine the most secure request header to add
Header requestHeader = null;
if (challengeMap.containsKey("ntlm")) {
    String challenge = (String) challengeMap.get("ntlm");
    requestHeader = Authenticator.ntlm(challenge, method, state,
} else if (challengeMap.containsKey("digest")) {
    String challenge = (String) challengeMap.get("digest");
    String realm = parseRealmFromChallenge(challenge);
    requestHeader = Authenticator.digest(realm, method, state,
} else if (challengeMap.containsKey("basic")) {
    String challenge = (String) challengeMap.get("basic");
    String realm = parseRealmFromChallenge(challenge);
    requestHeader = Authenticator.basic(realm, state, responseHeader);
} else if (challengeMap.size() == 0) {
    throw new HttpException("No authentication scheme found in '"
    + authenticateHeader + "'");
} else {
    throw new UnsupportedOperationException(
    "Requested authentication scheme " + challengeMap.keySet()
    + " is unsupported");

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message