hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject RE: preemptive
Date Tue, 10 Jun 2003 20:18:30 GMT
As I said before, currently only Basic authentication can be used
preemptively. As far Digest scheme goes, theoretically it may be
possible to preemptively authenticate against a Digest protected
resource for which 'nonce', 'nonce count' and 'opaque' values are known.
There's no guarantee that a target HTTP server would accept it, though.
Currently HttpClient does not provide for Digest scheme preemptive
authentication. Feel free to file a feature request for the future
releases.

http://jakarta.apache.org/commons/httpclient/issue-tracking.html

Alternatively, you could implement preemptive Digest authentication on
top of standard HttpClient functionality by using AuthChallengeParser
and DigestScheme classes

As a side note I would advise you to use 'expect: 100-continue'
handshake with your POST requests in order to avoid sending the request
body until request is fully authenticated. That should speed things up
by quite a bit. See PostMethod#setUseExpectHeader(boolean)

Oleg


On Tue, 2003-06-10 at 17:34, Zulfi Umrani wrote:
> I removed the Log4J from my classpath and could produce debug info.
> Attached is the trace I got when authenticating for Diegest on Tomcat.
> As per what I understand, Tomcat supports connection reuse. What I would
> like to see is that HttpClient store the Authorization header for a URL
> and resend it whenever it is invoking the URL again. If the server does
> not authenticate, it should re-authenticate the connection/url. Please
> let me know if I can set it up that way. Also is there a way to tell
> client,state or method about the scheme being used for pre-emptive
> authentication? This is so that it sends the right Authorization header
> even for the first time.
> 
> Thanks.
> 
> >>> oleg.kalnichevski@bearingpoint.com 6/10/2003 2:17:54 PM >>>
> Zulfi 
> 
> Both Digest & NTLM authentication schemes are connection oriented.
> Every time a new connection is open to a Digest & NTLM protected
> resource, the user has to be re-authenticated. Per default HttpClient
> does its best to keep connections alive, provided that the server
> supports connection reuse, thus eliminating the need to re-authenticate
> the user. 
> 
> Since you are using Log4J toolkit you have to ensure it's been
> configured to log 'httpclient.wire' and 'org.apache.commons.httpclient'
> category of events at DEBUG verbosity. Please refer to commons-logging &
> Log4J documentation for details
> 
> Oleg
> 
> -----Original Message-----
> From: Zulfi Umrani [mailto:zumrani@novell.com] 
> Sent: Tuesday, June 10, 2003 17:03
> To: Kalnichevski, Oleg; commons-httpclient-dev@jakarta.apache.org 
> Subject: RE: preemptive
> 
> 
> What do you mean by "eliminating the authentication overhead"? Does
> this
> mean keeping the already Authenticated header and adding it next time
> the URL is being invoked? I am using Apache Tomcat Server to host a
> couple of protected URLs. One more Basic and other for Digest. I
> believe
> it does the necessary connection management specified by the HTTP
> 1.0/1.1. For logging I execute the following before I do anything.
> log4j-1.2.8 and commons-logging-1.0.2. I do not any other
> documentation
> for logging. If you have a sample code which enables logging even to a
> file, please send that to me. I am using JDK1.4  on Sun Solaris
> without
> any container to run the client. So I do not think it is redirecting
> stdout or stderr to somewhere else.
> 
> System.setProperty("org.apache.commons.logging.simplelog.defaultlog",
> "debug"); 
> System.setProperty("org.apache.commons.logging.Log",
> "org.apache.commons.logging.impl.SimpleLog"); 
> System.setProperty("org.apache.commons.logging.simplelog.showdatetime",
> "true"); 
> System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire",
> "debug"); 
> System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient",
> "trace"); 
> 
> 
> >>> oleg.kalnichevski@bearingpoint.com 6/10/2003 1:36:57 PM >>>
> Zulfi,
> Only Basic authentication scheme can be used preemptively. If you want
> to eliminate the authentication overhead associated with Digest or
> NTLM
> schemes you have to ensure that the HTTP server keeps connections
> alive
> when possible.
> 
> Please get logging to work. That should not be too difficult. Please
> note that application servers and servlet engines usually redirect
> standard output and standard error. If you are unable to figure out
> what
> is going you might want to use Log4j toolkit that allows greater
> control
> over logging (for instance, you can specify a separate log file for a
> specific category of events). We will not be able to help you unless
> we
> can see the logs. 
> 
> Oleg
> 
> -----Original Message-----
> From: Zulfi Umrani [mailto:zumrani@novell.com] 
> Sent: Tuesday, June 10, 2003 16:27
> To: commons-httpclient-dev@jakarta.apache.org 
> Subject: RE: preemptive
> 
> 
> By setting realm as null, the pre-emptive authentication worked! But,
> it
> sends a Basic Authorization header even if the URL is protected by
> Digest! For Digest it is still making 2 trips in order to
> authenticate.
> Which is fine for the first request, but it repeats the same thing for
> the second request as well. Is there a way to tell the state, method
> or
> client what kind of scheme is desired for pre-emptive authentication.
> Sorry, no logs here as log did not work.
> 
> >>> oleg.kalnichevski@bearingpoint.com 6/10/2003 3:47:32 AM >>>
> Zulfi,
> 
> Try setting both realm & host to null. That should do the trick
> 
> 	HttpClient hc = new HttpClient();
> 	HttpState state = hc.getState();
> 	state.setAuthenticationPreemptive(true);
>       // Set default credentials (realm & host are null)
> 	state.setCredentials(null, null, 
> 	    new UsernamePasswordCredentials("zulfi", "zulfi"));
> 
> 
> Folks,
> 
> The present convention for setting a default set of credentials is
> utterly confusing and needs to be redesigned in 2.1. I believe we
> should
> be using HttpState#setCredentials(HttpAuthRealm, Credentials) instead
> of
> HttpState#setCredentials(String, String, Credentials). We should also
> provide a static final class to represent the default set of
> credentials:
> 
> public static final HttpAuthRealm DEFAULT_AUTH_CREDENTIALS = new
> HttpAuthRealm(null, null);
> 
> The end user code might look similar to that below
> 
> 	state.setCredentials(DEFAULT_AUTH_CREDENTIALS, 
> 	    new UsernamePasswordCredentials("zulfi", "zulfi"));
> 
> 
> Cheers
> 
> Oleg
> 
> 
> -----Original Message-----
> From: Zulfi Umrani [mailto:zumrani@novell.com] 
> Sent: Tuesday, June 10, 2003 00:44
> To: commons-httpclient-dev@jakarta.apache.org 
> Subject: preemptive
> 
> 
> Tried to use the Preemptive Authentication feature. Could not get it
> to
> work. I used the HttpState.setAuthenticationPreemptive(true); to set
> the
> preemptive authentication ON. It still send the first request without
> the Authorization header. Code sample is below. Would like to know,
> how
> to set up the Pre-emptive Authentication.
> 
> package test;
> 
> import java.io.*;
> import java.net.URL;
> 
> import org.apache.commons.httpclient.*;
> import org.apache.commons.httpclient.methods.*;
> import org.apache.commons.httpclient.auth.*;
> import org.apache.commons.httpclient.util.*;
> 
> public class JCTest {
>     public static void main(String[] args) throws Exception {
> 	test0();
> 	test0();
> 	return;
>     }
> 
>     public static void test0() throws Exception {
> 	System.out.println("running test0");
> 
> 	String urlstr = "http://localhost:9999/services1/test";
> 	URL url = new URL(urlstr);
> 	
> 	HttpClient hc = new HttpClient();
> 	HttpState state = hc.getState();
> 	state.setAuthenticationPreemptive(true);
> 	state.setCredentials("", url.getHost(), 
> 	    new UsernamePasswordCredentials("zulfi", "zulfi"));
> 
> 	PostMethod post = new PostMethod(urlstr);
> 	post.setDoAuthentication(true);
> 
> 	post.addRequestHeader("Connection", "Keep-Alive");
> 	post.addRequestHeader("Content-Length", ""+msg.length());
> 	post.addRequestHeader("Content-Type", "text/xml;
> charset=utf-8");
> 
> 	InputStream reqis = new ByteArrayInputStream(msg.getBytes());
> 	
> 	post.setRequestBody(reqis);
> 
> 	HostConfiguration hconfig = new HostConfiguration();
> 	hconfig.setHost(new URI(urlstr));
> 	
> 	hc.executeMethod(hconfig, post);
> 
> 	System.out.println(post.getResponseBodyAsString());
> 	System.out.println();
> 	    
>     }
>     
>     private static String msg = "Text Message";
> 
> }
> 
> 
> Thanks.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org 
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org 
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org 
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org 
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org 
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org 
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org 
> 
> 
> ______________________________________________________________________
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message