hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Melody" <j...@sybernet.ie>
Subject RE: Httpclient + HTTPS + Proxy + BASIC Authentication
Date Wed, 24 Mar 2004 12:57:37 GMT
Hi Oleg,

Thanks for your quick response.

Just to clarify one point - I am not concerned about authenticating
with the proxy - rather I need to do BASIC Authentication with the target
server and I am wondering if I use pre-emptive authentication is the
username
and password creditentials sent to the target server in clear text - before
the full SSL connection is in place.

So when I make the request to the URL i.e.
https://www.targetserver.com/document
via the proxy, the target server is going to come back looking for
username/password credentials becuase the "document" resource will require
this.
Httpclient will allow me to configure it so that it takes care of this
authentication request from the target server using

		post.setDoAuthentication( true );

However, if I am using pre-emptive authentication, has the username and
password gone to the target server unsecured.

thanks for your help,

John


-----Original Message-----
From: Kalnichevski, Oleg [mailto:oleg.kalnichevski@bearingpoint.com]
Sent: 24 March 2004 13:26
To: Commons HttpClient Project
Subject: RE: Httpclient + HTTPS + Proxy + BASIC Authentication



John,

The connection between the client (the agent) and the proxy is always
unencrypted
regardless of the transport mechanism used to access the target server
(plain
or SSL). Therefore, when the Basic authentication scheme is used to
authenticate
with the proxy, the credentials are transmitted in clear case. To my
knowledge
none of the mainstream proxy servers currently implements transport security
between the client (the agent) and the proxy.

The HTTPS + Proxy + BASIC Authentication bug has been fixed in the
3.0-prealpha-nightly
version of HttpClient. Please note that this is unstable development version
and it is incompatible with 2.0 API. If things progress well, we may have
the first official alpha out by the of May for the public review of the new
3.0 API.

<http://jakarta.apache.org/commons/httpclient/downloads.html>

Cheers,

Oleg

-----Original Message-----
From: John Melody [mailto:john@sybernet.ie]
Sent: Wednesday, March 24, 2004 13:36
To: commons-httpclient-dev@jakarta.apache.org
Subject: Httpclient + HTTPS + Proxy + BASIC Authentication


Hi,

I have read the notes on the bug in Httpclient V2.0 to do with
using Basic Authentication with a HTTPS Url through a proxy.

One workaround proposed is to use preemptive authentication.

Are the credentials i.e. username, password sent unencrypted to the
target server when Preemptive Authentication is used even through the URL is
a https URL.

There are some notes about a PATCH being available for this problem.
If so, how do I get it - I am currently using HttpCLient V2.0. Can
this version be patched to fix the problem or must I move to a newer
version of httpclient to avail of the patch.

thanks for any help,
John.

regards,
John.
John Melody
SyberNet Ltd.
Galway Business Park,
Dangan,
Galway.
Tel. No. +353 91 514400
Fax. NO. +353 91 514409
Mobile - 087-2345847


---------------------------------------------------------------------
To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org


****************************************************************************
***********************
The information in this email is confidential and may be legally privileged.
Access to this email by anyone other than the intended addressee is
unauthorized.  If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken or
omitted to be taken in reliance on it is prohibited and may be unlawful.  If
you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.
****************************************************************************
***********************

---------------------------------------------------------------------
To unsubscribe, e-mail:
commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail:
commons-httpclient-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message