hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: FW: HttpClient authentication problem.
Date Sat, 10 Jan 2009 13:33:28 GMT
Pankaj Arora wrote:
> Hi,
> I am using HttpClient 3.x till now. It looks like 4.x is completely overhauled and there
are major API changes that happened. I thought solution to this problem lied in having authentication
info available to connection managers so the stateful connection is not reused. I was looking
at 4.x Api docs http://hc.apache.org/httpcomponents-client/httpclient/apidocs/index.html
> And I don't see any MultiThreaded Connection Manager.

http://hc.apache.org/httpcomponents-client/examples.html
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/module-client/src/examples/org/apache/http/examples/client/ClientMultiThreadedExecution.java

> In fact looks like everything has moved to org.apache.http.* packages from org.apache.commons.*.

> If that's the case, 

Yes, this is the case, because 4.0 is a complete rewrite of the old code 
line.

can you tell me if there is some guide that can tell me how I can make 
my existing product compatible with 4.x release?

You need to port it to the new API.

> Second how the existing bug we are talking about can be resolved in new design.
> 

HTTP connection managers in 4.0 are now aware that connections can be 
stateful. They can take the connection state into consideration when 
serving a request for a persistent connection. Standard connection 
managers automatically take user identity into consideration when 
managing NTLM authenticated connections.

Please make sure to read this, though

http://hc.apache.org/httpcomponents-client/ntlm.html

Oleg

> I am sorry as I am bit confused as I wasn't following 4.x development from scratch.
> 
> Thanks,
> Pankaj Arora
> 
> -----Original Message-----
> From: Pankaj Arora [mailto:parora@castiron.com] 
> Sent: Tuesday, January 06, 2009 3:21 PM
> To: HttpComponents Project
> Subject: RE: FW: HttpClient authentication problem.
> 
> Hi Odi and Roland,
> Was curious to know if this feature finally made to 4.0. Moreover when final 4.0 verison
for commons is expected?
> 
> Thanks,
> Pankaj Arora
> 
> 
> Hi Odi,
> 
>> I would actually consider this a security issue in the connection
>> managers: It may hand out an already authenticated connection to an 
>> unsuspecting client. We should add fields to HttpConnection that keep 
>> track of the credentials for connection oriented AuthSchemes. So 
>> connection managers can take this into account. Also the connection 
>> managers lack a parameter in the getConnection methods that carries 
>> authentication information for connection based auth schemes.
> 
> It's on my list for 4.0, though it won't make it into client alpha1:
> http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
> It's not urgent since we won't have NTLM support for a while.
> 
> I don't think we can or should squeeze this into 3.x anymore.
> 
> cheers,
>   Roland
> 
> -----Original Message-----
> From: Ortwin Gl├╝ck [mailto:odi@odi.ch] 
> Sent: Friday, May 18, 2007 5:41 AM
> To: HttpComponents Project
> Subject: Re: FW: HttpClient authentication problem.
> 
> Pankaj,
> 
> NTLM is designed to authenticate a connection. AFAIK it does not support 
> a "logout" in the middle of a connection, nor does it support preemptive 
> authentication. So the only way to force a new authentication is to 
> close the connection. (e.g. try and clear the authentication to a mapped 
> network drive in Windows. Probably the same issue there.)
> 
> Thus it's not possible to share a connection between users when using 
> NTLM auth. Yes, this may cause a performance hit if you were planning to 
> share a connection between different users.
> 
> You could tweak your connection manager to remember the authenticated 
> user for each connection and try to find an already authenticated one or 
> hand out a new one if you can't.
> 
> I would actually consider this a security issue in the connection 
> managers: It may hand out an already authenticated connection to an 
> unsuspecting client. We should add fields to HttpConnection that keep 
> track of the credentials for connection oriented AuthSchemes. So 
> connection managers can take this into account. Also the connection 
> managers lack a parameter in the getConnection methods that carries 
> authentication information for connection based auth schemes.
> 
> Ortwin
> 
> 
> Pankaj Arora wrote:
>> Thanks, That worked for me. Only thing that worries me is that
>> connections don't persist now. It might be a performance issue. Only
>> thing which I would like to know from you( as I am bit novice here)-
>> what is the right behavior, my client not authenticating second time
>> as connection is already authenticated or closing the connections to
>> force authentication repeatedly.
>>
>> Thanks, Pankaj Arora.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message