[jira] [Issue Comment Edited] (CAMEL-4056) Enable preemptive basic authentication by default

Thu, 09 Jun 2011 01:40:48 -0700 

    [ 
https://issues.apache.org/jira/browse/CAMEL-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13046399#comment-13046399
 ] 

Richard Kettelerij edited comment on CAMEL-4056 at 6/9/11 8:38 AM:
-------------------------------------------------------------------

Willem, Claus,

Thanks for reporting. I was also thinking about the same, we shouldn't enable 
preemptive auth by default since it's a potential security risk (although we 
already allow authentication against arbitrary realms and hosts, which might be 
a bigger security risk). I'll make this setting non-default asap. Furthermore 
I'm working on getting it running in {{camel-http4}}. 

      was (Author: rkettelerij):
    Willem, Claus,

Thanks for reporting. I was also thinking about the same, we shouldn't enable 
preemptive auth by default since it's a potential security risk (although we're 
already allow authentication against arbitrary realms and hosts, which might be 
a bigger security risk). I'll make this setting non-default asap. Furthermore 
I'm working on getting it running in {{camel-http4}}. 
  
> Enable preemptive basic authentication by default
> -------------------------------------------------
>
>                 Key: CAMEL-4056
>                 URL: https://issues.apache.org/jira/browse/CAMEL-4056
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-http
>    Affects Versions: 2.7.2
>            Reporter: Richard Kettelerij
>            Assignee: Richard Kettelerij
>             Fix For: 2.8.0
>
>
> Currently Camel only sends credentials when a server explicitly prompts for 
> basic authentication. However there're cases where a URL is available to both 
> authenticated as well as unauthenticated parties. In that case the 
> {{camel-http}} component won't sent any credentials to the server, even 
> though the credentials are explicitly provided in the URI or Exchange.
> This can be solved by enabling preemptive authentication in Apache 
> HttpClient. In that case the credentials will always be provided whether the 
> server asks for it or not. Enabling this provides a sensible default.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to