hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sabarivasan Viswanathan" <sabariva...@gmail.com>
Subject Problem disabling BASIC authentication
Date Mon, 28 Jul 2008 23:31:39 GMT
Hello,

I am having trouble disabling every scheme except DIGEST and sending
credentials preemptively.

What I see when I use Wireshark is that the first HTTP request sends
credentials in BASIC mode. The server sends a 401 challenge after which the
client sends the correct DIGEST credentials. For obvious security reasons, I
want to avoid sending credentials in clear text using BASIC authentication.

If possible, I would also like to avoid the challenge step and use
preemptive authentication so that only 1 round trip is needed.

Here is my code:
        HttpClient client = new HttpClient();

        client.getState().setCredentials(new AuthScope("host", 80,
"securearea"),
                                         new
UsernamePasswordCredentials("username", "password");

        List authPrefs = new ArrayList(1);
        authPrefs.add(AuthPolicy.DIGEST);
        client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY,
authPrefs);

        client.getParams().setAuthenticationPreemptive(true);

        PostMethod post = new PostMethod("http://host/resource");
        post.setDoAuthentication(true);

        int result = client.executeMethod(post);
....

I have noticed that if I uncomment the line that does
setAuthenticationPreemptive(true), the first request does not send any
credentials at all and the 2nd request uses DIGEST credentials
appropriately.

Is there anything I am missing?

Sabari

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message