Hi, Any idea when is Http Client 4.0 is schedule for release. Also has this been taken care in 4.0? Http Client is planning to do this in 4.0 It's on my list for 4.0, though it won't make it into client alpha1: http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
Please refer to mail chain below for issue and your comments: ________________________________________________________________________ ____ Hi Odi, > I would actually consider this a security issue in the connection > managers: It may hand out an already authenticated connection to an > unsuspecting client. We should add fields to HttpConnection that keep > track of the credentials for connection oriented AuthSchemes. So > connection managers can take this into account. Also the connection > managers lack a parameter in the getConnection methods that carries > authentication information for connection based auth schemes. It's on my list for 4.0, though it won't make it into client alpha1: http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign It's not urgent since we won't have NTLM support for a while. I don't think we can or should squeeze this into 3.x anymore. cheers, Roland Pankaj, NTLM is designed to authenticate a connection. AFAIK it does not support a "logout" in the middle of a connection, nor does it support preemptive authentication. So the only way to force a new authentication is to close the connection. (e.g. try and clear the authentication to a mapped network drive in Windows. Probably the same issue there.) Thus it's not possible to share a connection between users when using NTLM auth. Yes, this may cause a performance hit if you were planning to share a connection between different users. You could tweak your connection manager to remember the authenticated user for each connection and try to find an already authenticated one or hand out a new one if you can't. I would actually consider this a security issue in the connection managers: It may hand out an already authenticated connection to an unsuspecting client. We should add fields to HttpConnection that keep track of the credentials for connection oriented AuthSchemes. So connection managers can take this into account. Also the connection managers lack a parameter in the getConnection methods that carries authentication information for connection based auth schemes. Ortwin Pankaj Arora wrote: > Thanks, That worked for me. Only thing that worries me is that > connections don't persist now. It might be a performance issue. Only > thing which I would like to know from you( as I am bit novice here)- > what is the right behavior, my client not authenticating second time > as connection is already authenticated or closing the connections to > force authentication repeatedly. > > Thanks, Pankaj Arora. ________________________________________________________________________ ____ Thanks, Pankaj Arora --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
