hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject RE: FW: HttpClient authentication problem.
Date Wed, 07 Jan 2009 09:38:34 GMT
On Tue, 2009-01-06 at 15:21 -0800, Pankaj Arora wrote:
> Hi Odi and Roland,
> Was curious to know if this feature finally made to 4.0.

Yes, it has


>  Moreover when final 4.0 verison for commons is expected?
> 

Q2 2009

Oleg


> Thanks,
> Pankaj Arora
> 
> 
> Hi Odi,
> 
> > I would actually consider this a security issue in the connection
> > managers: It may hand out an already authenticated connection to an 
> > unsuspecting client. We should add fields to HttpConnection that keep 
> > track of the credentials for connection oriented AuthSchemes. So 
> > connection managers can take this into account. Also the connection 
> > managers lack a parameter in the getConnection methods that carries 
> > authentication information for connection based auth schemes.
> 
> It's on my list for 4.0, though it won't make it into client alpha1:
> http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
> It's not urgent since we won't have NTLM support for a while.
> 
> I don't think we can or should squeeze this into 3.x anymore.
> 
> cheers,
>   Roland
> 
> -----Original Message-----
> From: Ortwin Gl├╝ck [mailto:odi@odi.ch] 
> Sent: Friday, May 18, 2007 5:41 AM
> To: HttpComponents Project
> Subject: Re: FW: HttpClient authentication problem.
> 
> Pankaj,
> 
> NTLM is designed to authenticate a connection. AFAIK it does not support 
> a "logout" in the middle of a connection, nor does it support preemptive 
> authentication. So the only way to force a new authentication is to 
> close the connection. (e.g. try and clear the authentication to a mapped 
> network drive in Windows. Probably the same issue there.)
> 
> Thus it's not possible to share a connection between users when using 
> NTLM auth. Yes, this may cause a performance hit if you were planning to 
> share a connection between different users.
> 
> You could tweak your connection manager to remember the authenticated 
> user for each connection and try to find an already authenticated one or 
> hand out a new one if you can't.
> 
> I would actually consider this a security issue in the connection 
> managers: It may hand out an already authenticated connection to an 
> unsuspecting client. We should add fields to HttpConnection that keep 
> track of the credentials for connection oriented AuthSchemes. So 
> connection managers can take this into account. Also the connection 
> managers lack a parameter in the getConnection methods that carries 
> authentication information for connection based auth schemes.
> 
> Ortwin
> 
> 
> Pankaj Arora wrote:
> > Thanks, That worked for me. Only thing that worries me is that
> > connections don't persist now. It might be a performance issue. Only
> > thing which I would like to know from you( as I am bit novice here)-
> > what is the right behavior, my client not authenticating second time
> > as connection is already authenticated or closing the connections to
> > force authentication repeatedly.
> > 
> > Thanks, Pankaj Arora.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message