On Thu, 2006-09-14 at 13:10 +0530, Saminda Abeyruwan wrote: > Hi Devs, > ... > Axis2 enables preemptive authentication. Thus, in this mode Httpclient > will send the basic authentication response even before the server > gives an unauthorized response in certain situations, thus reducing > the overhead of making the connection. This is related to JIRA 1081. >
Folks, Please do consider disabling the preemptive authentication for insecure transports such as plain HTTP per default. There is no evidence that preemptive authentication results in any measurable performance improvement, but it does pose a very real security risk. The use of preemptive authentication over a secure transport such as TLS/SSL is okay and can actually be useful. Oleg > Please do provide your consensus on the prior. Please do test this > with you existing clients and let us know the results. > > Thank you > > Saminda --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
