--- "Paul C. Bryan" <[EMAIL PROTECTED]> wrote: [...] > Storing the URL, as you suggest is overly restrictive, and would > potentially require caching every separate URL that has required > authentication for a particular realm. > > Most browsers appear to send credentials for every subsequent > request to the same host and port. This can be a bit risky > in my opinion, as the user's credentials could be supplied > to unrelated services on the same host. [...]
How about a middle ground? I was thinking maybe storing the URL of the place that required authentication, and then preemptively sending the authorization for every request that is "underneath" that place in the hierarchy... Example: We get a 401 for http://www.foo.bar/secure/index.html. Store, along with the realm, "http://www.foo.bar/secure/";... and then any subsequent requests that startsWith that URL gets preemptively authorized. YES: http://www.foo.bar/secure/upload.cgi YES: http://www.foo.bar/secure/dir/index.html NO: http://www.foo.bar/index.html NO: https://www.foo.bar/secure/index.html One other thing to think about is nested authorization... I don't know what apache does if you have a .htaccess file in /secure, and then another one with a different realm in /secure/dir ... does it require both username/password combos, or just the innermost one? HttpClient could handle either case, I suspect, with careful coding. matt __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
