hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29439] - Credentials ignored if realm specified in preemptive authentication
Date Wed, 09 Jun 2004 10:00:00 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29439

Credentials ignored if realm specified in preemptive authentication

olegk@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Normal                      |Enhancement
             Status|NEW                         |ASSIGNED
   Target Milestone|---                         |3.0 Alpha 2



------- Additional Comments From olegk@apache.org  2004-06-09 09:59 -------
Philippe,
Just recently we have had a quite few complaints regarding the way preemptive
authentication is handled. The official HttpClient authentication guide has been
revised to clarify the gray areas in the 2.0 API primarily concerning the
prerequisites expected in order to make preemptive authentication functional.
Rather unfortunately the site has not been redeployed yet, so the updated
authentication guide is not available at the moment. You can see the xdoc source
 at the following location

http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/xdocs/authentication.xml?rev=1.5.2.4&only_with_tag=HTTPCLIENT_2_0_BRANCH&view=markup

> But I don't personally think it is defensive enough since it disable 
> preemptive auth and it could result in large performance degradation 
> since you have to repeat (multi-megabytes?) POST requests two times 
> to get through.

Preemptive authentication is not the best answer to this problem. The problem
can be much better addressed by using so called 'expect-continue' handshake. See
ExpectContinueMethod method's javadoc for details.

The entire authentication framework in HttpClient has been completely rewritten
for the 3.0 release. With HttpClient 3.0 one should already get a warning in
case of missing authentication credentials. Furthermore, it also provides a
better API for credentials assignment and retrieval. I will also try to come up
with a better way to assign default credentials. So, stay tuned

Oleg

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message