hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pankaj Arora" <par...@castiron.com>
Subject RE: FW: HttpClient authentication problem.
Date Fri, 09 Jan 2009 20:04:50 GMT
Hi,
I am using HttpClient 3.x till now. It looks like 4.x is completely overhauled and there are
major API changes that happened. I thought solution to this problem lied in having authentication
info available to connection managers so the stateful connection is not reused. I was looking
at 4.x Api docs http://hc.apache.org/httpcomponents-client/httpclient/apidocs/index.html
And I don't see any MultiThreaded Connection Manager.
In fact looks like everything has moved to org.apache.http.* packages from org.apache.commons.*.

If that's the case, can you tell me if there is some guide that can tell me how I can make
my existing product compatible with 4.x release?
Second how the existing bug we are talking about can be resolved in new design.

I am sorry as I am bit confused as I wasn't following 4.x development from scratch.

Thanks,
Pankaj Arora

-----Original Message-----
From: Pankaj Arora [mailto:parora@castiron.com] 
Sent: Tuesday, January 06, 2009 3:21 PM
To: HttpComponents Project
Subject: RE: FW: HttpClient authentication problem.

Hi Odi and Roland,
Was curious to know if this feature finally made to 4.0. Moreover when final 4.0 verison for
commons is expected?

Thanks,
Pankaj Arora


Hi Odi,

> I would actually consider this a security issue in the connection
> managers: It may hand out an already authenticated connection to an 
> unsuspecting client. We should add fields to HttpConnection that keep 
> track of the credentials for connection oriented AuthSchemes. So 
> connection managers can take this into account. Also the connection 
> managers lack a parameter in the getConnection methods that carries 
> authentication information for connection based auth schemes.

It's on my list for 4.0, though it won't make it into client alpha1:
http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
It's not urgent since we won't have NTLM support for a while.

I don't think we can or should squeeze this into 3.x anymore.

cheers,
  Roland

-----Original Message-----
From: Ortwin Gl├╝ck [mailto:odi@odi.ch] 
Sent: Friday, May 18, 2007 5:41 AM
To: HttpComponents Project
Subject: Re: FW: HttpClient authentication problem.

Pankaj,

NTLM is designed to authenticate a connection. AFAIK it does not support 
a "logout" in the middle of a connection, nor does it support preemptive 
authentication. So the only way to force a new authentication is to 
close the connection. (e.g. try and clear the authentication to a mapped 
network drive in Windows. Probably the same issue there.)

Thus it's not possible to share a connection between users when using 
NTLM auth. Yes, this may cause a performance hit if you were planning to 
share a connection between different users.

You could tweak your connection manager to remember the authenticated 
user for each connection and try to find an already authenticated one or 
hand out a new one if you can't.

I would actually consider this a security issue in the connection 
managers: It may hand out an already authenticated connection to an 
unsuspecting client. We should add fields to HttpConnection that keep 
track of the credentials for connection oriented AuthSchemes. So 
connection managers can take this into account. Also the connection 
managers lack a parameter in the getConnection methods that carries 
authentication information for connection based auth schemes.

Ortwin


Pankaj Arora wrote:
> Thanks, That worked for me. Only thing that worries me is that
> connections don't persist now. It might be a performance issue. Only
> thing which I would like to know from you( as I am bit novice here)-
> what is the right behavior, my client not authenticating second time
> as connection is already authenticated or closing the connections to
> force authentication repeatedly.
> 
> Thanks, Pankaj Arora.

-- 
[web]  http://www.odi.ch/
[blog] http://www.odi.ch/weblog/
[pgp]  key 0x81CF3416
        finger print F2B1 B21F F056 D53E 5D79 A5AF 02BE 70F5 81CF 3416

---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message