Hi,
I'm still trying to get different types of authentication to work, this
time I'm testing with Microsoft ISA Server 2006 (which seems pretty
broken). I got basic to work with a ResponseInterceptor to pick of the
auth from a successful small request preceding a large request, and then
using preemptive from then on the large POSTS. However, I'm having
trouble with DIGEST.
>> Oleg Kalnichevski wrote:
>>
>>> HttpClient 4.0 can be customized to support preemptive authentication
>>> using BASIC or DIGEST schemes. NTLM cannot be used preemptively in
>>> principle.
Just to clarify my understanding: DIGEST can only be used preemptively
when the server accepts the reuse of a previously used nonce right? That
is, if the proxy server requires a new DIGEST challenge/response every
request, then preemptive DIGEST auth will (by definition) fail?
>> Ok, I was afraid of that. Does that mean that I am forced to use
>> expect/continue with non-repeatable requests?
>>
> I am afraid so. Another alternative would be to execute a GET or a HEAD
> request to make sure credentials are OK before executing a POST with a
> large entity. The good thing about NTLM authentication scheme is that
> one has only to authenticate once. NTLM authentication is connection
> based. A persistent HTTP connection will retain its NTLM context as long
> as it remains open.
Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be very
broken: when doing expect/continue it will *ALWAYS* respond 100 Continue
when doing a POST, only to fail with a 407 the second you start sending
data. This breaks non-repeatable POSTS with DIGEST authentication, and I
can't use the preemptive DIGEST using authentication from a previous
request, since ISA requires a new challenge/response on the every
request (even in the same connection).
>>> The use of preemptive authentication is discouraged (or at least not
>>> promoted). However, one can easily add preemptive authentication
>>> capabilities using custom protocol interceptors. See samples above.
>>
>> Ok, I'll give the interceptors a shot. The reason I want (need?)
>> preemptive authentication is because some proxies do not support
>> expect/continue and I have non-repeatable posts (multi-megabyte size).
>>
> An HTTP GET or HEAD preceding a POST with a large content entity is the
> way to go.
This works with NTLM (connection based), but not with DIGEST (at least
on ISA). Do you have any ideas how to go about it with DIGEST?
Regards,
Sebastiaan
|