Return-Path: Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org Received: (qmail 40425 invoked from network); 29 Jul 2008 15:44:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Jul 2008 15:44:32 -0000 Received: (qmail 6467 invoked by uid 500); 29 Jul 2008 15:44:31 -0000 Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org Received: (qmail 6437 invoked by uid 500); 29 Jul 2008 15:44:31 -0000 Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-users@hc.apache.org Received: (qmail 6422 invoked by uid 99); 29 Jul 2008 15:44:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Jul 2008 08:44:31 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sabarivasan@gmail.com designates 209.85.146.177 as permitted sender) Received: from [209.85.146.177] (HELO wa-out-1112.google.com) (209.85.146.177) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Jul 2008 15:43:37 +0000 Received: by wa-out-1112.google.com with SMTP id v33so2928522wah.2 for ; Tue, 29 Jul 2008 08:44:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=dxP6t8SJ61lWo0sD6J8uu+VjKSgX8vz4l59oSGV2MW0=; b=wN7efzrHPYwWLX/Bpsn4LrbwyjkAjmqy81BpGco7FIg8nSgKakW0KAgPi4extc00Pr O6Qr1SI3z4cS/7+0Ff/zPZOl2i5dzB/LN9Bl4jgnADse3MJDMptAlZj7/UMzFPUmeyCH eQbfm2ft3BrzJOZya5aQDRPC4IFL/qMWdGU5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=e1xD0y5vjDyYxzOGN5vhN74O0SwXsbi1WlglwGIvmHBwcSMrpGK8Y1C32hd0jl69pS sQrFL5Dgu6ok3V7+Ge4aDX6UJ4r8t8tvBoB4iD8asKnV4y0T4Vi1VVh7JZ2ekLe3knkR Avy0KgOqbQdEezgZabGVBR9jnJi+Foe5B9QV8= Received: by 10.114.124.1 with SMTP id w1mr6804669wac.73.1217346243966; Tue, 29 Jul 2008 08:44:03 -0700 (PDT) Received: by 10.115.72.4 with HTTP; Tue, 29 Jul 2008 08:44:03 -0700 (PDT) Message-ID: Date: Tue, 29 Jul 2008 08:44:03 -0700 From: "Sabarivasan Viswanathan" To: "HttpClient User Discussion" Subject: Re: Problem disabling BASIC authentication In-Reply-To: <488F09C1.8020701@apache.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_33004_14553089.1217346243962" References: <488F09C1.8020701@apache.org> X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_33004_14553089.1217346243962 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks as always to a prompt response that answers all my questions. Sabari On Tue, Jul 29, 2008 at 5:14 AM, Oleg Kalnichevski wrote: > Sabarivasan Viswanathan wrote: > >> Hello, >> >> I am having trouble disabling every scheme except DIGEST and sending >> credentials preemptively. >> >> What I see when I use Wireshark is that the first HTTP request sends >> credentials in BASIC mode. The server sends a 401 challenge after which >> the >> client sends the correct DIGEST credentials. For obvious security reasons, >> I >> want to avoid sending credentials in clear text using BASIC >> authentication. >> >> If possible, I would also like to avoid the challenge step and use >> preemptive authentication so that only 1 round trip is needed. >> >> Here is my code: >> HttpClient client = new HttpClient(); >> >> client.getState().setCredentials(new AuthScope("host", 80, >> "securearea"), >> new >> UsernamePasswordCredentials("username", "password"); >> >> List authPrefs = new ArrayList(1); >> authPrefs.add(AuthPolicy.DIGEST); >> client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, >> authPrefs); >> >> client.getParams().setAuthenticationPreemptive(true); >> >> PostMethod post = new PostMethod("http://host/resource"); >> post.setDoAuthentication(true); >> >> int result = client.executeMethod(post); >> .... >> >> I have noticed that if I uncomment the line that does >> setAuthenticationPreemptive(true), the first request does not send any >> credentials at all and the 2nd request uses DIGEST credentials >> appropriately. >> >> Is there anything I am missing? >> >> Sabari >> >> >> > Sabarivasan, > > HttpClient 3.x can only authenticate preemptively using BASIC scheme. > HttpClient 4.0 can optionally store the DIGEST challenge in the execution > context and use it for preemptive authentication: > > > http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/module-client/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java > > Preemptive authentication of any kind is generally discouraged, though. > > Oleg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org > For additional commands, e-mail: httpclient-users-help@hc.apache.org > > ------=_Part_33004_14553089.1217346243962--