Return-Path: 
 <httpclient-users-return-12191-apmail-hc-httpclient-users-archive=hc.apache.org@hc.apache.org>
X-Original-To: apmail-hc-httpclient-users-archive@www.apache.org
Delivered-To: apmail-hc-httpclient-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0D920115A2
	for <apmail-hc-httpclient-users-archive@www.apache.org>;
 Tue, 20 May 2014 15:13:33 +0000 (UTC)
Received: (qmail 11458 invoked by uid 500); 20 May 2014 15:13:32 -0000
Delivered-To: apmail-hc-httpclient-users-archive@hc.apache.org
Received: (qmail 11417 invoked by uid 500); 20 May 2014 15:13:32 -0000
Mailing-List: contact httpclient-users-help@hc.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:httpclient-users-help@hc.apache.org>
List-Unsubscribe: <mailto:httpclient-users-unsubscribe@hc.apache.org>
List-Post: <mailto:httpclient-users@hc.apache.org>
List-Id: <httpclient-users.hc.apache.org>
Reply-To: "HttpClient User Discussion" <httpclient-users@hc.apache.org>
Delivered-To: mailing list httpclient-users@hc.apache.org
Received: (qmail 11409 invoked by uid 99); 20 May 2014 15:13:32 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 May 2014 15:13:32 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Received: from [5.148.180.21] (HELO kalnich2.nine.ch) (5.148.180.21)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 May 2014 15:13:27 +0000
Received: from [192.168.42.101] (unknown [213.55.184.247])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	by kalnich2.nine.ch (Postfix) with ESMTPSA id 20AD0160092
	for <httpclient-users@hc.apache.org>; Tue, 20 May 2014 15:13:04 +0000 (UTC)
Message-ID: <1400598783.26697.2.camel@ubuntu>
Subject: Re: SPNEGO/Kerberos Auth when POST is first request
From: Oleg Kalnichevski <olegk@apache.org>
To: HttpClient User Discussion <httpclient-users@hc.apache.org>
Date: Tue, 20 May 2014 17:13:03 +0200
In-Reply-To: 
 <CAKfebONaNvVjRui0g-N9w2ga6vgPYWKVVRm9hpCKgR9oYO1Uow@mail.gmail.com>
References: 
	<CAKfebOM5u66Vi-iAOsyzmXsLk=E0uTioogp+6Q=EjP3k+hLeBA@mail.gmail.com>
	 <1400065801.8913.12.camel@ubuntu>
	 <CAKfebONaNvVjRui0g-N9w2ga6vgPYWKVVRm9hpCKgR9oYO1Uow@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.10.4-0ubuntu1 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

On Mon, 2014-05-19 at 14:47 -0700, Gregory Chanan wrote:
> Hi Oleg,
> 
> Thanks, that makes sense.  Any equivalent for httpclient 4.2.5?  I use both
> 4.2.5 and 4.3.3.
> 

Unfortunately 4.2 APIs do not provide an equivalent method.

Oleg

> Thanks,
> Greg
> 
> 
> On Wed, May 14, 2014 at 4:10 AM, Oleg Kalnichevski <olegk@apache.org> wrote:
> 
> > On Tue, 2014-05-13 at 17:05 -0700, Gregory Chanan wrote:
> > > I'm using httpclient (4.3.3) in my application with SPNEGO/Kerberos Auth
> > > and everything works well when a GET is the first request to a remote
> > > host.  This is consistent with
> > >
> > http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html#spnegowhich
> > > only discusses SPNEGO with GET.
> > >
> > > I run into problems in my application if POST is the first request; there
> > > are a couple of different given the SPNEGO negotiation.  What I've done
> > is
> > > address this at the application level: if a POST is being requested, I
> > > first generate a GET in order to trigger the SPNEGO negotiation, then
> > send
> > > the POST.
> > >
> > > There are a couple of downsides to this approach, though:
> > > 1) It's inefficient because I send the GET each time a POST request is
> > > made, not once per connection.
> > > 2) I have to change the application code everywhere httpclient requests
> > are
> > > made
> > >
> > > Anyone have a suggestion for how to address this?  I was thinking of
> > > implementing by own HttpClientConnectionManager that overrides "connect"
> > > and sends the GET after the connection is established.  That way I
> > address
> > > 1) because I only send the GET once per connection and 2) I can get rid
> > of
> > > the changes in my application code and just use normal HttpClients.
> > >
> > > Thoughts?
> >
> > Gregory,
> >
> > It is a reasonable approach. However, you should overrride
> > #routeComplete method instead of #connect. This will enable you to
> > interact with the connection immediately after its route has been fully
> > established. Otherwise, your connection manager would not work correctly
> > with tunneled connections (for instance, https requests via a proxy).
> >
> > Hope this helps
> >
> > Oleg
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
> >



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org