On 23 January 2013 16:24, Adam Murdoch <[email protected]> wrote:
> > On 24/01/2013, at 3:47 AM, Daz DeBoer wrote: > > G'day > > Another issue has been discovered with 1.4-rc-2: > http://issues.gradle.org/browse/GRADLE-2650. > > It's unfortunate that the symptoms of this issue are very similar to > http://issues.gradle.org/browse/GRADLE-2641 which was fixed in 1.4-rc-2. > This similarity meant that we originally thought it was the same issue. > > It's possible that the fix is as simple as setting http.keepAlive = "true" > explicitly in our code, to workaround the bug in HttpClient 4.2.2. I'm > waiting to hear back on this front. > > If that doesn't fix the issue, we might want to consider introducing a > system property that would permit a user to specify which authentication > scheme should be used. That would also allow users to avoid the needless > attempts at NTLM authentication with every request, as well as removing the > warning that is often emitted about NEGOTIATE credentials not being > available. > There is actually a standard java system property for this, so we could > simply honour that preference: ( > http://docs.oracle.com/javase/7/docs/technotes/guides/net/http-auth.html) > > http.auth.preference="scheme" > > Finally, we could consider upgrading to HttpClient 4.2.3, which may have > resolved this issue. I think we should do this for 1.5, as the new version > has vastly improved NTML authentication that might allow us to replace the > JCIFS implementation we currently use. We could use a custom value like > http.auth.preference="jcifs" to permit users to continue using the old > implementation (until we are confident the new implementation works). > > > The question is whether we need to do anything for the 1.4 release. > My feeling is that this is a serious issue that will impact pretty much everyone using NTLM authentication. > My understanding is that, right now, if I use a proxy that requires (or > just prefers) NTLM authentication and I haven't explicitly set > http.keepAlive = true, then I'm going to hit the problem. > I suspect that this is the problem, and I hope that the fix is as simple as setting http.keepAlive = "true". I'm awaiting feedback from the reporter. > > If that's the case, then it really needs to be fixed, possibly with one of > the above options or possibly just a roll back of httpclient. > If it works, I'd opt for hard-setting http.keepAlive = true, and keeping the current version of http client. Not sure what the motivation for the original upgrade to 4.2.2 was: PeterN made this change soon after we branched for 1.3. But certainly downgrading to 4.2.1 would be safer than upgrading to 4.2.3 methinks (pretty major changes in that upgrade). -- Daz
