hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: HTTP Basic auth requests
Date Mon, 08 Nov 2004 09:29:03 GMT
On Mon, Nov 08, 2004 at 10:16:43AM +0100, Vjeran Marcinko wrote:
> Oleg,
> 
> Thanx for the answers. But one more question - since HttpClient is suggested
> to be used as signleton, and HttpMethod is the one that should get
> instantiated during each request, one would assume that all things tied with
> that requests should be set on that HttpMethod instance.
> But let's say that my singleton HttpClient serves for performing various
> HTTP requests, of which some require BASIC auth and some don't, but since
> user credentials are tied with HttpClient and not HttpMethod (set by
> client.getState().setCredentials...), isn't that a design issue, or it's
> just unsuitable for my case, where most of cases out there would feel fine
> with it ?

Vjeran,

You can always override the default HttpState and HostConfiguration by
using the following method leaving HttpClient in charge of connection
management only:

http://jakarta.apache.org/commons/httpclient/apidocs/org/apache/commons/httpclient/HttpClient.html#executeMethod(org.apache.commons.httpclient.HostConfiguration,
org.apache.commons.httpclient.HttpMethod,
org.apache.commons.httpclient.HttpState)

I hope this addresses your concerns

Oleg

> 
> -Vjeran
> 
> ----- Original Message ----- 
> From: "Oleg Kalnichevski" <olegk@apache.org>
> To: <httpclient-user@jakarta.apache.org>
> Sent: Monday, November 08, 2004 9:56 AM
> Subject: Re: HTTP Basic auth requests
> 
> 
> > Vjeran
> >
> > Usually one needs to know the authentication realm of the resource one
> > is trying to access. It is possible to force the preemptive
> > authentication using BASIC scheme. This approach has significant
> > security risks as (1) one may end up sending credentials to an untrusted
> site
> > by mistake, and (2) BASIC authentication is inherently insecure.
> >
> > This said, if you are reasonably sure that you can mitigate the security
> > risks and absolutely have to save that first server roundtrip, the
> > preemptive authentication is the way to go. For further details see the
> > HttpClient authentication guide:
> >
> > http://jakarta.apache.org/commons/httpclient/3.0/authentication.html
> >
> > Cheers,
> >
> > Oleg
> >
> > On Mon, Nov 08, 2004 at 05:34:53AM +0100, Vjeran Marcinko wrote:
> > > Hi again.
> > >
> > > Can I just ask why HttpClient, when having set HTTP Basic auth, doesn't
> send
> > > Authorization header in such request at first, but tries to send one
> without
> > > it and when it fails with status code 401, it sends the complete one ?
> > >
> > > -Vjeran
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message