Re: Make HttpClient pick Basic Auth over NTLM?

Thu, 04 Dec 2003 23:47:48 -0800 

Hello Eric,

it's a question of interpretation, isn't it? If we provide an option to 
prefer
Basic auth over NTLM, we violate the RFC. If we provide an option to
*disable* NTLM in certain cases, HttpClient would no longer understand
it, and has to select Basic following the rules of the RFC :-)

cheers,
  Roland





Eric Johnson <[EMAIL PROTECTED]>
04.12.2003 15:31
Please respond to "Commons HttpClient Project"
 
        To:     Commons HttpClient Project 
<[EMAIL PROTECTED]>
        cc: 
        Subject:        Re: Make HttpClient pick Basic Auth over NTLM?


I'm not sure that HttpClient should do anything different.

According to section 4.6 of RFC 2617, "A user agent MUST choose to use 
the strongest auth- scheme it understands and request credentials from 
the user based upon that challenge."

Since Basic is pretty darn weak, I'd say NTLM wins out every time.  Is 
this a point on which HttpClient should have an option to override the 
RFC mandated behavior?  As somewhat of a fanatic about security, my take 
is that you should be forced to do the right thing, and if you really 
want to, the source is there for you to modify.

-Eric.

anon permutation wrote:

>
> Hi,
>
> I am using a proxy server that supports both NTLM and Basic 
> Authentications.  How do I make HttpClient use Basic Auth. instead of 
> NTLM?  I am using 2.0-rc2.  Following is my code:
>
> 
--------------------------------------------------------------------------------------------------------------------
 

>
> HttpClient client = new HttpClient();
> HttpMethod method = null;
>
> client.getState().setProxyCredentials(null, new 
> UsernamePasswordCredentials("user","passwd"));
>
> HostConfiguration hc = client.getHostConfiguration();
> hc.setProxy("10.0.0.2", 80);
>
> method = new GetMethod(url);
> client.executeMethod(method);
> byte[] responseBody = method.getResponseBody();
> 
-----------------------------------------------------------------------------------------------------------------
 

>
>
> I am getting this error:
> Credentials cannot be used for NTLM authentication
>
>
> Thanks.
>
> _________________________________________________________________
> Browse styles for all ages, from the latest looks to cozy weekend wear 
> at MSN Shopping.  And check out the beauty products! 
> http://shopping.msn.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: 
> [EMAIL PROTECTED]
> For additional commands, e-mail: 
> [EMAIL PROTECTED]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: 
[EMAIL PROTECTED]
For additional commands, e-mail: 
[EMAIL PROTECTED]

Reply via email to