hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Repeated Proxy-Authorization Challenges
Date Tue, 13 Nov 2007 10:23:20 GMT

On Mon, 2007-11-12 at 17:35 +0100, Kevin Crosbie wrote:
> Kevin Crosbie wrote:
> > I guess I can store the Proxy-Authorization header as a string and set
> > the header value every time I make a request.
> >   
> 
> Looks like it's not so easy to just save the Proxy-Authorization header.
> If I say:
> <snip>
> if (this.authHeader != null)
>    method.setRequestHeader(this.authHeader);
> </snip>
> <snip>
> int status = client.executeMethod(method);
> </snip>
> <snip>
> this.authHeader = method.getRequestHeader("Proxy-Authorization");
> </snip>
> 
> where this.authHeader is of type org.apache.commons.httpclient.Header
> and the <snip></snip> are pieces taken from my code where more code runs
> between snips, such as setDoAuthentication etc.
> 
> This works fine, if the challenge is always correct but if, say, the
> nonce had changed between posts, then the challenge is not processed a
> second time (i.e. the header that I added is taken to be the response to
> the challenge generated in this iteration).
> 
> I guess the only way to fix this is to change the authorizers so that
> they can cache intermediate requests and try to authenticate at least
> one more time in the case of Digest authentication if a challenge is
> received after a post.
> 

Kevin,

There is a trade-off between security and performance. The whole of
point of generating new nonce values is to make Digest authentication
less prone to brute-force attacks. The less frequently nonce changes,
the more likely is the change the authentication can be brute-forced.
Preemptive authentication simply defeats the purpose of the Digest
authentication scheme.

In general any kind of preemptive authentication is a security risk.

Oleg   




> Anyway, just thought I'd update.
> 
> Best Regards,
> 
> Kevin Crosbie
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message