Mailing-List: contact dev-help@hc.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "HttpComponents Project" <dev@hc.apache.org>
Received-SPF: pass (nike.apache.org: local policy)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: FW: HttpClient authentication problem.
Date: Fri, 9 Jan 2009 12:04:50 -0800
Message-ID: 
 <1AA95300F8CC2D4583ACBC20FDD3B13D0AE02371@hq-exch-01.castiron.corp>
In-Reply-To: 
 <1AA95300F8CC2D4583ACBC20FDD3B13D0AD257DC@hq-exch-01.castiron.corp>
Thread-Topic: FW: HttpClient authentication problem.
Thread-Index: AceZSYgzF7sNXYsGRwSgHnRtIRfsUHXC6x6gAI/OHNA=
References: 
 <1AA95300F8CC2D4583ACBC20FDD3B13D056F2FEE@hq-exch-01.castiron.corp>
 <464D9EC6.8010207@odi.ch>
 <1AA95300F8CC2D4583ACBC20FDD3B13D0AD257DC@hq-exch-01.castiron.corp>
From: "Pankaj Arora" <parora@castiron.com>
To: "HttpComponents Project" <dev@hc.apache.org>,
	"HttpComponents Project" <httpcomponents-dev@jakarta.apache.org>

Hi,
I am using HttpClient 3.x till now. It looks like 4.x is completely =
overhauled and there are major API changes that happened. I thought =
solution to this problem lied in having authentication info available to =
connection managers so the stateful connection is not reused. I was =
looking at 4.x Api docs =
http://hc.apache.org/httpcomponents-client/httpclient/apidocs/index.html
And I don't see any MultiThreaded Connection Manager.
In fact looks like everything has moved to org.apache.http.* packages =
from org.apache.commons.*.=20
If that's the case, can you tell me if there is some guide that can tell =
me how I can make my existing product compatible with 4.x release?
Second how the existing bug we are talking about can be resolved in new =
design.

I am sorry as I am bit confused as I wasn't following 4.x development =
from scratch.

Thanks,
Pankaj Arora

-----Original Message-----
From: Pankaj Arora [mailto:parora@castiron.com]=20
Sent: Tuesday, January 06, 2009 3:21 PM
To: HttpComponents Project
Subject: RE: FW: HttpClient authentication problem.

Hi Odi and Roland,
Was curious to know if this feature finally made to 4.0. Moreover when =
final 4.0 verison for commons is expected?

Thanks,
Pankaj Arora


Hi Odi,

> I would actually consider this a security issue in the connection
> managers: It may hand out an already authenticated connection to an=20
> unsuspecting client. We should add fields to HttpConnection that keep=20
> track of the credentials for connection oriented AuthSchemes. So=20
> connection managers can take this into account. Also the connection=20
> managers lack a parameter in the getConnection methods that carries=20
> authentication information for connection based auth schemes.

It's on my list for 4.0, though it won't make it into client alpha1:
http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
It's not urgent since we won't have NTLM support for a while.

I don't think we can or should squeeze this into 3.x anymore.

cheers,
  Roland

-----Original Message-----
From: Ortwin Gl=FCck [mailto:odi@odi.ch]=20
Sent: Friday, May 18, 2007 5:41 AM
To: HttpComponents Project
Subject: Re: FW: HttpClient authentication problem.

Pankaj,

NTLM is designed to authenticate a connection. AFAIK it does not support =

a "logout" in the middle of a connection, nor does it support preemptive =

authentication. So the only way to force a new authentication is to=20
close the connection. (e.g. try and clear the authentication to a mapped =

network drive in Windows. Probably the same issue there.)

Thus it's not possible to share a connection between users when using=20
NTLM auth. Yes, this may cause a performance hit if you were planning to =

share a connection between different users.

You could tweak your connection manager to remember the authenticated=20
user for each connection and try to find an already authenticated one or =

hand out a new one if you can't.

I would actually consider this a security issue in the connection=20
managers: It may hand out an already authenticated connection to an=20
unsuspecting client. We should add fields to HttpConnection that keep=20
track of the credentials for connection oriented AuthSchemes. So=20
connection managers can take this into account. Also the connection=20
managers lack a parameter in the getConnection methods that carries=20
authentication information for connection based auth schemes.

Ortwin


Pankaj Arora wrote:
> Thanks, That worked for me. Only thing that worries me is that
> connections don't persist now. It might be a performance issue. Only
> thing which I would like to know from you( as I am bit novice here)-
> what is the right behavior, my client not authenticating second time
> as connection is already authenticated or closing the connections to
> force authentication repeatedly.
>=20
> Thanks, Pankaj Arora.

--=20
[web]  http://www.odi.ch/
[blog] http://www.odi.ch/weblog/
[pgp]  key 0x81CF3416
        finger print F2B1 B21F F056 D53E 5D79 A5AF 02BE 70F5 81CF 3416

---------------------------------------------------------------------
To unsubscribe, e-mail: =
httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: =
httpcomponents-dev-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org