hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Preemptive auth and mixed auth types and alpha5
Date Wed, 20 Aug 2008 15:32:04 GMT
On Wed, 2008-08-20 at 11:44 +0200, Sebastiaan van Erk wrote:
> Hi,
> 
> Unfortunately the HEAD option is not very stable either. The nonce is 
> usable only once as well, so in the next post it is no good anymore. 
> However, if I set the nonce preemptively using the request/response 
> interceptor method ISA will say 407 but httpclient will not try again, 
> which will mean that due to the response interceptor the new DIGEST auth 
> has been saved and it will work for the next POST.
> 
> I don't really understand why httpclient does retry the request when 
> there is no auth preemptively set, but does not retry the request when 
> there is.
> 
> Also I'm afraid this solution is very brittle: if the HTTP target 
> requires any kind of digest authentication I'm sure this will completely 
> fail.
> 

I am not sure I understand the problem. Could you please post wire logs
of both sessions?

> The only thing I can really think of is to somehow make the POST 
> repeatable (buffer it?). Is the value of isRepeatable() allowed to 
> change?

No, but you can decorate the entity with a buffering wrapper similar to
the BufferedHttpEntity.

Hope this helps

Oleg

>  I.e. it is repeatable as long as we're in the first 4096 bytes 
> of the stream (the buffer), but after that, it is no more? I can't 
> buffer multimegabytes, but as long as I can buffer the enough to handle 
> the authentication, it should do the trick...
> 
> Regards,
> Sebastiaan
> 
> Sebastiaan van Erk wrote:
> > Just as I replied to this message, I noticed that I had not tried the 
> > HEAD option which you suggested.
> > 
> > I tried it, and it does in fact work with DIGEST.
> > 
> > Thanks!
> > 
> > Regards,
> > Sebastiaan
> > 
> > Sebastiaan van Erk wrote:
> >> Hi,
> >>
> >> I'm still trying to get different types of authentication to work, 
> >> this time I'm testing with Microsoft ISA Server 2006 (which seems 
> >> pretty broken). I got basic to work with a ResponseInterceptor to pick 
> >> of the auth from a successful small request preceding a large request, 
> >> and then using preemptive from then on the large POSTS. However, I'm 
> >> having trouble with DIGEST.
> >>
> >>>> Oleg Kalnichevski wrote:
> >>>>
> >>>>> HttpClient 4.0 can be customized to support preemptive 
> >>>>> authentication using BASIC or DIGEST schemes. NTLM cannot be used

> >>>>> preemptively in principle.
> >>
> >> Just to clarify my understanding: DIGEST can only be used preemptively 
> >> when the server accepts the reuse of a previously used nonce right? 
> >> That is, if the proxy server requires a new DIGEST challenge/response 
> >> every request, then preemptive DIGEST auth will (by definition) fail?
> >>
> >>>> Ok, I was afraid of that. Does that mean that I am forced to use 
> >>>> expect/continue with non-repeatable requests?
> >>>>
> >>> I am afraid so. Another alternative would be to execute a GET or a HEAD
> >>> request to make sure credentials are OK before executing a POST with a
> >>> large entity. The good thing about NTLM authentication scheme is that
> >>> one has only to authenticate once. NTLM authentication is connection
> >>> based. A persistent HTTP connection will retain its NTLM context as long
> >>> as it remains open.
> >>
> >> Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be 
> >> very broken: when doing expect/continue it will *ALWAYS* respond 100 
> >> Continue when doing a POST, only to fail with a 407 the second you 
> >> start sending data. This breaks non-repeatable POSTS with DIGEST 
> >> authentication, and I can't use the preemptive DIGEST using 
> >> authentication from a previous request, since ISA requires a new 
> >> challenge/response on the every request (even in the same connection).
> >>
> >>>>> The use of preemptive authentication is discouraged (or at least

> >>>>> not promoted). However, one can easily add  preemptive 
> >>>>> authentication capabilities using custom protocol interceptors.
See 
> >>>>> samples above.
> >>>>
> >>>> Ok, I'll give the interceptors a shot. The reason I want (need?) 
> >>>> preemptive authentication is because some proxies do not support 
> >>>> expect/continue and I have non-repeatable posts (multi-megabyte size).
> >>>>
> >>> An HTTP GET or HEAD preceding a POST with a large content entity is the
> >>> way to go.
> >>
> >> This works with NTLM (connection based), but not with DIGEST (at least 
> >> on ISA). Do you have any ideas how to go about it with DIGEST?
> >>
> >> Regards,
> >> Sebastiaan


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message