On Wed, 2008-08-20 at 11:44 +0200, Sebastiaan van Erk wrote:
> Hi,
>
> Unfortunately the HEAD option is not very stable either. The nonce is
> usable only once as well, so in the next post it is no good anymore.
> However, if I set the nonce preemptively using the request/response
> interceptor method ISA will say 407 but httpclient will not try again,
> which will mean that due to the response interceptor the new DIGEST auth
> has been saved and it will work for the next POST.
>
> I don't really understand why httpclient does retry the request when
> there is no auth preemptively set, but does not retry the request when
> there is.
>
> Also I'm afraid this solution is very brittle: if the HTTP target
> requires any kind of digest authentication I'm sure this will completely
> fail.
>
I am not sure I understand the problem. Could you please post wire logs
of both sessions?
> The only thing I can really think of is to somehow make the POST
> repeatable (buffer it?). Is the value of isRepeatable() allowed to
> change?
No, but you can decorate the entity with a buffering wrapper similar to
the BufferedHttpEntity.
Hope this helps
Oleg
> I.e. it is repeatable as long as we're in the first 4096 bytes
> of the stream (the buffer), but after that, it is no more? I can't
> buffer multimegabytes, but as long as I can buffer the enough to handle
> the authentication, it should do the trick...
>
> Regards,
> Sebastiaan
>
> Sebastiaan van Erk wrote:
> > Just as I replied to this message, I noticed that I had not tried the
> > HEAD option which you suggested.
> >
> > I tried it, and it does in fact work with DIGEST.
> >
> > Thanks!
> >
> > Regards,
> > Sebastiaan
> >
> > Sebastiaan van Erk wrote:
> >> Hi,
> >>
> >> I'm still trying to get different types of authentication to work,
> >> this time I'm testing with Microsoft ISA Server 2006 (which seems
> >> pretty broken). I got basic to work with a ResponseInterceptor to pick
> >> of the auth from a successful small request preceding a large request,
> >> and then using preemptive from then on the large POSTS. However, I'm
> >> having trouble with DIGEST.
> >>
> >>>> Oleg Kalnichevski wrote:
> >>>>
> >>>>> HttpClient 4.0 can be customized to support preemptive
> >>>>> authentication using BASIC or DIGEST schemes. NTLM cannot be used
> >>>>> preemptively in principle.
> >>
> >> Just to clarify my understanding: DIGEST can only be used preemptively
> >> when the server accepts the reuse of a previously used nonce right?
> >> That is, if the proxy server requires a new DIGEST challenge/response
> >> every request, then preemptive DIGEST auth will (by definition) fail?
> >>
> >>>> Ok, I was afraid of that. Does that mean that I am forced to use
> >>>> expect/continue with non-repeatable requests?
> >>>>
> >>> I am afraid so. Another alternative would be to execute a GET or a HEAD
> >>> request to make sure credentials are OK before executing a POST with a
> >>> large entity. The good thing about NTLM authentication scheme is that
> >>> one has only to authenticate once. NTLM authentication is connection
> >>> based. A persistent HTTP connection will retain its NTLM context as long
> >>> as it remains open.
> >>
> >> Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be
> >> very broken: when doing expect/continue it will *ALWAYS* respond 100
> >> Continue when doing a POST, only to fail with a 407 the second you
> >> start sending data. This breaks non-repeatable POSTS with DIGEST
> >> authentication, and I can't use the preemptive DIGEST using
> >> authentication from a previous request, since ISA requires a new
> >> challenge/response on the every request (even in the same connection).
> >>
> >>>>> The use of preemptive authentication is discouraged (or at least
> >>>>> not promoted). However, one can easily add preemptive
> >>>>> authentication capabilities using custom protocol interceptors.
See
> >>>>> samples above.
> >>>>
> >>>> Ok, I'll give the interceptors a shot. The reason I want (need?)
> >>>> preemptive authentication is because some proxies do not support
> >>>> expect/continue and I have non-repeatable posts (multi-megabyte size).
> >>>>
> >>> An HTTP GET or HEAD preceding a POST with a large content entity is the
> >>> way to go.
> >>
> >> This works with NTLM (connection based), but not with DIGEST (at least
> >> on ISA). Do you have any ideas how to go about it with DIGEST?
> >>
> >> Regards,
> >> Sebastiaan
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
|