hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Automatic switch between Basic Auth and NTLM Auth
Date Wed, 13 Sep 2006 11:13:31 GMT
On Wed, 2006-09-13 at 16:26 +0530, Saminda Abeyruwan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Oleg Kalnichevski wrote:
> > On Wed, 2006-09-13 at 10:08 +0530, Saminda Abeyruwan wrote:
> > Hi Devs,
> > 
> > I'm Saminda Abeyruwan, Axis2 committer, design and contributed to the
> > http/https transport in Axis2. In the process I've been able to
> > contribute to Basic and NTLM Auth based on the sample you guys have put
> > on the site. But we do (Axis2) handle Basic and NTLM separately. Thus,
> > we configure httpclient manually to do basic or NTLM auth. IMHO This is
> > wrong. I've been found that this switch is automatically handled by
> > commons-httpclient-3.0.
> > 
> > I would kindly asked, how could i write a codebase to support auth
> > without knowing what auth mechanism commons-httpclient uses. I tried
> > mayer times to grasp this idea and did some research. But i still need
> > some help. Commons-httpclient is a powerful tool, and Axis2 really want
> > to explore its capacity.
> > 
> > 
> >> Hi Saminda,
> > 
> >> HttpClient is designed to automatically select an authentication scheme
> >> based on the challenge returned by the target server. It is always the
> >> server side of HTTP that determines what kind of authentication
> >> mechanism should be used. In those cases when the target server supports
> >> multiple authentication schemes HttpClient makes an effort to select the
> >> most secure one. The default auth scheme order of preference is NTLM,
> >> Digest, Basic. In other words per default HttpClient will always pick
> >> NTLM over Basic given a choice. One can set a different order of
> >> preference if so is desired. For instance, if you want to make sure
> >> HttpClient does not use Basic auth at all, just exclude Basic from the
> >> order of preference. 
> > 
> >> If you need more details, just let me know.
> > 
> >> Hope this helps somewhat.
> > 
> >> Oleg
> 
> Hi Oleg,
> 
> Thank you for the quick response. Based on the
> InteractiveAuthenticationExample sample, I've written my own credential
> provider to provide either UsernamePasswordCredentials or NTCredentials.
> 
> What would be the based way to set the AuthScop, and where should I set
> it, if I'm using the following.
>     ....
>     HttpClient client = new HttpClient();
>         client.getParams().setParameter(
>             CredentialsProvider.PROVIDER, new MyCredentialProvider());
>         GetMethod httpget = new GetMethod("http://foo.com");
>         httpget.setDoAuthentication(true);
>         try {
>             // execute the GET
>             int status = client.executeMethod(httpget);
>             // print the status and response
>             System.out.println(httpget.getStatusLine().toString());
>             System.out.println(httpget.getResponseBodyAsString());
>         } finally {
>             // release any connection resources used by the method
>             httpget.releaseConnection();
>         }
>       ....
> 
> Thank you
> 
> Saminda
> 

Saminda,

You no longer have to specify an auth scope when using a custom
credentials provider. HttpClient will automatically add credentials to
the HttpState based on the authentication context. 

Be _EXTRA_ careful when implementing a custom credentials provider,
though. HttpClient makes no provisions to check whether the same
credentials have been tried already. It is a responsibility of the
custom credentials provider to keep track of authentication attempts and
to ensure that credentials known to be invalid are not retried. Do make
sure that your credentials provider can gracefully handle invalid
credentials. 

I would go as far as advise against using CredentialProvider interface
unless you are not trying to implement an interactive authentication
dialog of some sort.

Oleg

> > 
> > 
> > Please do help me on this.
> > 
> > Looking forward to hearing from you.
> > 
> > Saminda
> > 
> >>
> - ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
> >>
> >>
> 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFB+PwYmklbLuW6wYRAsFxAJ4hAnjya1b85Pek2ssrYaiiK2EK3gCcDoiO
> l8qonPO9XtzX0IE/6GNGQG4=
> =LkWj
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message