Return-Path: 
 <commons-httpclient-dev-return-8581-apmail-jakarta-commons-httpclient-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-commons-httpclient-dev-archive@www.apache.org
Received: (qmail 42579 invoked from network); 9 Jun 2004 09:18:15 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 9 Jun 2004 09:18:15 -0000
Received: (qmail 76094 invoked by uid 500); 9 Jun 2004 09:18:39 -0000
Delivered-To: apmail-jakarta-commons-httpclient-dev-archive@jakarta.apache.org
Received: (qmail 75978 invoked by uid 500); 9 Jun 2004 09:18:38 -0000
Mailing-List: contact commons-httpclient-dev-help@jakarta.apache.org;
 run by ezmlm
Precedence: bulk
List-Unsubscribe: 
 <mailto:commons-httpclient-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:commons-httpclient-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:commons-httpclient-dev-help@jakarta.apache.org>
List-Post: <mailto:commons-httpclient-dev@jakarta.apache.org>
List-Id: "Commons HttpClient Project"
 <commons-httpclient-dev.jakarta.apache.org>
Reply-To: "Commons HttpClient Project"
 <commons-httpclient-dev@jakarta.apache.org>
Delivered-To: mailing list commons-httpclient-dev@jakarta.apache.org
Received: (qmail 75963 invoked by uid 99); 9 Jun 2004 09:18:38 -0000
Received: from [192.18.33.10] (HELO exchange.sun.com) (192.18.33.10)
  by apache.org (qpsmtpd/0.27.1) with SMTP; Wed, 09 Jun 2004 02:18:38 -0700
Received: (qmail 9260 invoked by uid 50); 9 Jun 2004 09:18:41 -0000
Date: 9 Jun 2004 09:18:41 -0000
Message-ID: <20040609091841.9259.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: commons-httpclient-dev@jakarta.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 29439]  -
    Credentials ignored if realm specified in preemptive authentication
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29439

Credentials ignored if realm specified in preemptive authentication





------- Additional Comments From pvdyck@operamail.com  2004-06-09 09:18 -------
Ortwin,

As long as preemptive auth is irrelevant without a null realm, a warning 
message is a solution.
But I don't personally think it is defensive enough since it disable preemptive 
auth and it could result in large performance degradation since you have to 
repeat (multi-megabytes?) POST requests two times to get through. 

It can even not work at all when you expect preemptive auth to work in a load 
balanced web server environment (load balancing is not configured to maintain 
sessions). 

What happens is that the first request goes to server 1 and answer is 401 (with 
a session id cookie) and then the second request goes to another server 2 who 
accepts the credentials BUT refuses the session id (answer is 401 invalid-
session id!).

It may sound tricky, but actually happens!

So, since preemptive auth without a null realm is useless, would it be possible 
to assume null realms if auth is preemtive in : Credentials creds = 
(Credentials) map.get(entry) ? Maybe using a Comparable interface on 
Credentials objects ?
 
And BTW, thanks for you quick and efficient support,

Philippe

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org