DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=28659>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28659 Allow Basic authentication to pre-encode the username/password Summary: Allow Basic authentication to pre-encode the username/password Product: Commons Version: 2.0 Final Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: HttpClient AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In the current (2.0) HttpClient, if there is a need to use Basic authentication through a proxy, the client application must instantiate a UsernamePasswordCredential instance and call "setUsername" & "setPassword", which will be Base64 encoded by the org.apache.commons.httpclient.auth.BasicScheme.authenticate method and attached to the HTTP header list by HttpAuthenticator. This means that, in the case of an unattended (wget-style) application, the user name and password must be stored in clear text in a configuration file somewhere. Obviously, BASIC authentication is inherently insecure, but we'd like to be able to add a slight notch of security (at least guarding against inadvertent compromises by otherwise trusted users) by pre-encoding the username/password, storing *that* value in the configuration file, and providing it in a new "PreEncodedCredentials" class. It's obviously not secure, but it makes the security auditors happy (well, happier). The current design of HttpClient doesn't allow us to plug in our own authentication scheme (everything's referenced as a static method). I've noticed a lot of discussion on the site about an impending redesign (perhaps better support for plugging in new authenticators?), but in the meantime, if you're interested, I can provide a patch to implement this bit of extra security. Is this something that HttpClient in general might be able to benefit from? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
