hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sabarivasan Viswanathan" <sabariva...@gmail.com>
Subject Re: Problem disabling BASIC authentication
Date Tue, 29 Jul 2008 15:44:03 GMT
Thanks as always to a prompt response that answers all my questions.

Sabari

On Tue, Jul 29, 2008 at 5:14 AM, Oleg Kalnichevski <olegk@apache.org> wrote:

> Sabarivasan Viswanathan wrote:
>
>> Hello,
>>
>> I am having trouble disabling every scheme except DIGEST and sending
>> credentials preemptively.
>>
>> What I see when I use Wireshark is that the first HTTP request sends
>> credentials in BASIC mode. The server sends a 401 challenge after which
>> the
>> client sends the correct DIGEST credentials. For obvious security reasons,
>> I
>> want to avoid sending credentials in clear text using BASIC
>> authentication.
>>
>> If possible, I would also like to avoid the challenge step and use
>> preemptive authentication so that only 1 round trip is needed.
>>
>> Here is my code:
>>        HttpClient client = new HttpClient();
>>
>>        client.getState().setCredentials(new AuthScope("host", 80,
>> "securearea"),
>>                                         new
>> UsernamePasswordCredentials("username", "password");
>>
>>        List authPrefs = new ArrayList(1);
>>        authPrefs.add(AuthPolicy.DIGEST);
>>        client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY,
>> authPrefs);
>>
>>        client.getParams().setAuthenticationPreemptive(true);
>>
>>        PostMethod post = new PostMethod("http://host/resource");
>>        post.setDoAuthentication(true);
>>
>>        int result = client.executeMethod(post);
>> ....
>>
>> I have noticed that if I uncomment the line that does
>> setAuthenticationPreemptive(true), the first request does not send any
>> credentials at all and the 2nd request uses DIGEST credentials
>> appropriately.
>>
>> Is there anything I am missing?
>>
>> Sabari
>>
>>
>>
> Sabarivasan,
>
> HttpClient 3.x can only authenticate preemptively using BASIC scheme.
> HttpClient 4.0 can optionally store the DIGEST challenge in the execution
> context and use it for preemptive authentication:
>
>
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/module-client/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java
>
> Preemptive authentication of any kind is generally discouraged, though.
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message