hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Owen" <Rob.O...@sas.com>
Subject RE: Multiple attempts with same credentials
Date Fri, 21 Feb 2003 19:05:44 GMT
The following test program, using server with Digest authentication (eg. Apcahe2), should show
the problem - trace will show 100 attempts. Make sure that the credentials are incorrect (invalid
userid or password).

import org.apache.commons.httpclient.*;
import org.apache.commons.httpclient.methods.*;

public class HttpClientTest
   public static void main( String[] args ) {

      HttpClient client;

      UsernamePasswordCredentials creds = null;
      String path   = "http://host/path";
      String userid = "joe";
      String pw     = "smiff";
      try {
         client = new HttpClient();

         creds = new UsernamePasswordCredentials( userid, pw );
         client.getState().setCredentials( null, creds );

         PutMethod amethod = new PutMethod( path );
         amethod.setRequestHeader( "Content-Type", "text/plain" );
         amethod.setRequestBody( "body" );


     } catch (Exception ex) { ex.printStackTrace(); }

-----Original Message-----
From: Ortwin Gl├╝ck [mailto:ortwin.glueck@nose.ch] 
Sent: Monday, February 17, 2003 4:07 AM
To: Commons HttpClient Project
Subject: Re: Multiple attempts with same credentials

Rob Owen wrote:
> HttpMethodBase's processAuthenticationResponse uses a set of realms
> to which attempts to authenticate have already been made. The
> elements of the set are a concatenation of the requested path and the
> value of the Authentication response header.
> For digest authentication this response header contains a nonce
> value, which is uniquely generated by the server each time a 401
> response is made. This makes it impossible to recognize that
> authentication against this realm has been attempted before and so
> all 100 attempts are made before returning. The nonce should probably
> not be used in the realmsUsed elements.

Wow! That's quite an ugly bug.

Rob, do you mind providing a test case for that?


To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org

View raw message