hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastiaan van Erk <sebs...@sebster.com>
Subject Re: Preemptive auth and mixed auth types and alpha5
Date Wed, 20 Aug 2008 09:27:01 GMT
Just as I replied to this message, I noticed that I had not tried the 
HEAD option which you suggested.

I tried it, and it does in fact work with DIGEST.

Thanks!

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> Hi,
> 
> I'm still trying to get different types of authentication to work, this 
> time I'm testing with Microsoft ISA Server 2006 (which seems pretty 
> broken). I got basic to work with a ResponseInterceptor to pick of the 
> auth from a successful small request preceding a large request, and then 
> using preemptive from then on the large POSTS. However, I'm having 
> trouble with DIGEST.
> 
>>> Oleg Kalnichevski wrote:
>>>
>>>> HttpClient 4.0 can be customized to support preemptive 
>>>> authentication using BASIC or DIGEST schemes. NTLM cannot be used 
>>>> preemptively in principle.
> 
> Just to clarify my understanding: DIGEST can only be used preemptively 
> when the server accepts the reuse of a previously used nonce right? That 
> is, if the proxy server requires a new DIGEST challenge/response every 
> request, then preemptive DIGEST auth will (by definition) fail?
> 
>>> Ok, I was afraid of that. Does that mean that I am forced to use 
>>> expect/continue with non-repeatable requests?
>>>
>> I am afraid so. Another alternative would be to execute a GET or a HEAD
>> request to make sure credentials are OK before executing a POST with a
>> large entity. The good thing about NTLM authentication scheme is that
>> one has only to authenticate once. NTLM authentication is connection
>> based. A persistent HTTP connection will retain its NTLM context as long
>> as it remains open.
> 
> Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be very 
> broken: when doing expect/continue it will *ALWAYS* respond 100 Continue 
> when doing a POST, only to fail with a 407 the second you start sending 
> data. This breaks non-repeatable POSTS with DIGEST authentication, and I 
> can't use the preemptive DIGEST using authentication from a previous 
> request, since ISA requires a new challenge/response on the every 
> request (even in the same connection).
> 
>>>> The use of preemptive authentication is discouraged (or at least not 
>>>> promoted). However, one can easily add  preemptive authentication 
>>>> capabilities using custom protocol interceptors. See samples above.
>>>
>>> Ok, I'll give the interceptors a shot. The reason I want (need?) 
>>> preemptive authentication is because some proxies do not support 
>>> expect/continue and I have non-repeatable posts (multi-megabyte size).
>>>
>> An HTTP GET or HEAD preceding a POST with a large content entity is the
>> way to go.
> 
> This works with NTLM (connection based), but not with DIGEST (at least 
> on ISA). Do you have any ideas how to go about it with DIGEST?
> 
> Regards,
> Sebastiaan

Mime
View raw message