hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Http Client 4.0 release date
Date Wed, 23 Apr 2008 19:23:43 GMT

On Tue, 2008-04-22 at 17:01 -0700, Pankaj Arora wrote:
> Hi,
> Any idea when is Http Client 4.0 is schedule for release.
> 

When it is ready.

4.0-alpha4 can be expected within the coming weeks. The API freeze
(beta1) can be expected towards the end of the year. I personally see no
need to rush the final release.


> Also has this been taken care in 4.0?

Partially. Connection managers in the 4.0 codeline are now capable of
handling stateful connections. However, I still need to add ability to
manage connection state to HttpClient itself.

Hope this helps

Oleg


> Http Client is planning to do this in 4.0
> It's on my list for 4.0, though it won't make it into client alpha1:
> http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
> 
> Please refer to mail chain below for issue and your comments:
> 
> ________________________________________________________________________
> ____
> Hi Odi,
> 
> > I would actually consider this a security issue in the connection
> > managers: It may hand out an already authenticated connection to an 
> > unsuspecting client. We should add fields to HttpConnection that keep 
> > track of the credentials for connection oriented AuthSchemes. So 
> > connection managers can take this into account. Also the connection 
> > managers lack a parameter in the getConnection methods that carries 
> > authentication information for connection based auth schemes.
> 
> It's on my list for 4.0, though it won't make it into client alpha1:
> http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
> It's not urgent since we won't have NTLM support for a while.
> 
> I don't think we can or should squeeze this into 3.x anymore.
> 
> cheers,
> Roland
> 
> 
> 
> Pankaj,
> 
> NTLM is designed to authenticate a connection. AFAIK it does not support
> a "logout" in the middle of a connection, nor does it support preemptive
> authentication. So the only way to force a new authentication is to
> close the connection. (e.g. try and clear the authentication to a mapped
> network drive in Windows. Probably the same issue there.)
> 
> Thus it's not possible to share a connection between users when using
> NTLM auth. Yes, this may cause a performance hit if you were planning to
> share a connection between different users.
> 
> You could tweak your connection manager to remember the authenticated
> user for each connection and try to find an already authenticated one or
> hand out a new one if you can't.
> 
> I would actually consider this a security issue in the connection
> managers: It may hand out an already authenticated connection to an
> unsuspecting client. We should add fields to HttpConnection that keep
> track of the credentials for connection oriented AuthSchemes. So
> connection managers can take this into account. Also the connection
> managers lack a parameter in the getConnection methods that carries
> authentication information for connection based auth schemes.
> 
> Ortwin
> 
> 
> Pankaj Arora wrote:
> > Thanks, That worked for me. Only thing that worries me is that 
> > connections don't persist now. It might be a performance issue. Only 
> > thing which I would like to know from you( as I am bit novice here)- 
> > what is the right behavior, my client not authenticating second time 
> > as connection is already authenticated or closing the connections to 
> > force authentication repeatedly.
> > 
> > Thanks, Pankaj Arora.
> 
> ________________________________________________________________________
> ____
> Thanks,
> Pankaj Arora
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message