hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastiaan van Erk <sebs...@sebster.com>
Subject Re: Preemptive auth and mixed auth types and alpha5
Date Wed, 20 Aug 2008 09:19:48 GMT
Hi,

I'm still trying to get different types of authentication to work, this 
time I'm testing with Microsoft ISA Server 2006 (which seems pretty 
broken). I got basic to work with a ResponseInterceptor to pick of the 
auth from a successful small request preceding a large request, and then 
using preemptive from then on the large POSTS. However, I'm having 
trouble with DIGEST.

>> Oleg Kalnichevski wrote:
>>
>>> HttpClient 4.0 can be customized to support preemptive authentication 
>>> using BASIC or DIGEST schemes. NTLM cannot be used preemptively in 
>>> principle.

Just to clarify my understanding: DIGEST can only be used preemptively 
when the server accepts the reuse of a previously used nonce right? That 
is, if the proxy server requires a new DIGEST challenge/response every 
request, then preemptive DIGEST auth will (by definition) fail?

>> Ok, I was afraid of that. Does that mean that I am forced to use 
>> expect/continue with non-repeatable requests?
>>
> I am afraid so. Another alternative would be to execute a GET or a HEAD
> request to make sure credentials are OK before executing a POST with a
> large entity. The good thing about NTLM authentication scheme is that
> one has only to authenticate once. NTLM authentication is connection
> based. A persistent HTTP connection will retain its NTLM context as long
> as it remains open.

Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be very 
broken: when doing expect/continue it will *ALWAYS* respond 100 Continue 
when doing a POST, only to fail with a 407 the second you start sending 
data. This breaks non-repeatable POSTS with DIGEST authentication, and I 
can't use the preemptive DIGEST using authentication from a previous 
request, since ISA requires a new challenge/response on the every 
request (even in the same connection).

>>> The use of preemptive authentication is discouraged (or at least not 
>>> promoted). However, one can easily add  preemptive authentication 
>>> capabilities using custom protocol interceptors. See samples above.
>>
>> Ok, I'll give the interceptors a shot. The reason I want (need?) 
>> preemptive authentication is because some proxies do not support 
>> expect/continue and I have non-repeatable posts (multi-megabyte size).
>>
> An HTTP GET or HEAD preceding a POST with a large content entity is the
> way to go.

This works with NTLM (connection based), but not with DIGEST (at least 
on ISA). Do you have any ideas how to go about it with DIGEST?

Regards,
Sebastiaan

Mime
View raw message