hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: Potential account lockouts when using authentication using concurrent http requests
Date Tue, 16 Sep 2008 21:45:13 GMT
On Tue, 2008-09-16 at 14:24 -0700, Henrich Kraemer wrote:
> Hi Oleg,
> 
> I assume with credentials store you talks about the abstraction provided by
> the CredentialsProvider interface which allows to set or get a credential
> as well as to clear them.

Correct.

> I believe you are saying in HttpClient 4 managing the credential store is
> entirely the responsibility of the application.
> Therefore the get/clear methods would not be strictly needed, right?
> 

The getter is used by HttpClient internally to obtain credentials for a
particular scope. #clear() method is not strictly needed


> See also my follow up questions below.
> 
> Thanks much,
> 
> Henrich
> 
> 
> > When using HttpClient 4.0 one is advised to do the following:
> >
> > * populate the credentials store with the default credentials if
> > available
> > * execute the request
> > * if the request fails with status code 401 or 407, prompt the user for
> > new credentials
> > * update the credentials store according to the user input
> > * retry
> 
> I looked at the ClientInteractiveAuthentication example. Here are some
> excerpts
>         boolean trying = true;
>         while (trying) {
> ..
>             HttpResponse response = httpclient.execute(httpget,
> localContext);
> ..
>             HttpEntity entity = response.getEntity();
>             if (entity != null) {
>                 entity.consumeContent();
>             }
> 
>             int sc = response.getStatusLine().getStatusCode();
> 
>             AuthState authState = null;
>             if (sc == HttpStatus.SC_UNAUTHORIZED) {
>                 // Target host authentication required
>                 authState = (AuthState) localContext.getAttribute
> (ClientContext.TARGET_AUTH_STATE);
>             }
>             if (sc == HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED) {
>                 // Proxy authentication required
>                 authState = (AuthState) localContext.getAttribute
> (ClientContext.PROXY_AUTH_STATE);
>             }
> 
>             if (authState != null) {
> ..
>                 AuthScope authScope = authState.getAuthScope();
> ..
>                 System.out.print("Enter username: ");
>                 String user = console.readLine();
>                 System.out.print("Enter password: ");
>                 String password = console.readLine();
> 
>                 if (user != null && user.length() > 0) {
>                     Credentials creds = new UsernamePasswordCredentials
> (user, password);
>                     httpclient.getCredentialsProvider().setCredentials
> (authScope, creds);
>                     trying = true;
>                 } else {
>                     trying = false;
>                 }
>             } else {
>                 trying = false;
>             }
>         }
> 
> I would think that some state needs to be carried over when forming the
> response (for digest scheme)
> Is this done via the HttpContext (localContext) which is passed into each
> execute() call?
> 

Yes, it is. You may want to take a look at
ClientPreemptiveDigestAuthentication for an example of how local context
can be used to maintain state information between request invocations.

Hope this helps

Oleg


> >
> > One can also use the same logic with HttpClient 3.x.
> >
> > Hope this helps
> >
> > Oleg
> >
> > > Thanks,
> > >
> > > Henrich
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message