RE: Multiple attempts with same credentials

Fri, 21 Feb 2003 11:04:46 -0800 

The following test program, using server with Digest authentication (eg. Apcahe2), 
should show the problem - trace will show 100 attempts. Make sure that the credentials 
are incorrect (invalid userid or password).

import org.apache.commons.httpclient.*;
import org.apache.commons.httpclient.methods.*;

public class HttpClientTest
{
   public static void main( String[] args ) {

      HttpClient client;

      UsernamePasswordCredentials creds = null;
      String path   = "http://host/path";;
      String userid = "joe";
      String pw     = "smiff";
        
      try {
         client = new HttpClient();

         creds = new UsernamePasswordCredentials( userid, pw );
         client.getState().setCredentials( null, creds );

         PutMethod amethod = new PutMethod( path );
         amethod.setRequestHeader( "Content-Type", "text/plain" );
         amethod.setRequestBody( "body" );

         client.executeMethod(amethod);

     } catch (Exception ex) { ex.printStackTrace(); }
  }
}

-----Original Message-----
From: Ortwin Gl�ck [mailto:[EMAIL PROTECTED]] 
Sent: Monday, February 17, 2003 4:07 AM
To: Commons HttpClient Project
Subject: Re: Multiple attempts with same credentials

Rob Owen wrote:
> HttpMethodBase's processAuthenticationResponse uses a set of realms
> to which attempts to authenticate have already been made. The
> elements of the set are a concatenation of the requested path and the
> value of the Authentication response header.
> 
> For digest authentication this response header contains a nonce
> value, which is uniquely generated by the server each time a 401
> response is made. This makes it impossible to recognize that
> authentication against this realm has been attempted before and so
> all 100 attempts are made before returning. The nonce should probably
> not be used in the realmsUsed elements.

Wow! That's quite an ugly bug.

Rob, do you mind providing a test case for that?

Odi


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to