On Tue, 2009-01-06 at 15:21 -0800, Pankaj Arora wrote: > Hi Odi and Roland, > Was curious to know if this feature finally made to 4.0.
Yes, it has > Moreover when final 4.0 verison for commons is expected? > Q2 2009 Oleg > Thanks, > Pankaj Arora > > > Hi Odi, > > > I would actually consider this a security issue in the connection > > managers: It may hand out an already authenticated connection to an > > unsuspecting client. We should add fields to HttpConnection that keep > > track of the credentials for connection oriented AuthSchemes. So > > connection managers can take this into account. Also the connection > > managers lack a parameter in the getConnection methods that carries > > authentication information for connection based auth schemes. > > It's on my list for 4.0, though it won't make it into client alpha1: > http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign > It's not urgent since we won't have NTLM support for a while. > > I don't think we can or should squeeze this into 3.x anymore. > > cheers, > Roland > > -----Original Message----- > From: Ortwin Glück [mailto:[email protected]] > Sent: Friday, May 18, 2007 5:41 AM > To: HttpComponents Project > Subject: Re: FW: HttpClient authentication problem. > > Pankaj, > > NTLM is designed to authenticate a connection. AFAIK it does not support > a "logout" in the middle of a connection, nor does it support preemptive > authentication. So the only way to force a new authentication is to > close the connection. (e.g. try and clear the authentication to a mapped > network drive in Windows. Probably the same issue there.) > > Thus it's not possible to share a connection between users when using > NTLM auth. Yes, this may cause a performance hit if you were planning to > share a connection between different users. > > You could tweak your connection manager to remember the authenticated > user for each connection and try to find an already authenticated one or > hand out a new one if you can't. > > I would actually consider this a security issue in the connection > managers: It may hand out an already authenticated connection to an > unsuspecting client. We should add fields to HttpConnection that keep > track of the credentials for connection oriented AuthSchemes. So > connection managers can take this into account. Also the connection > managers lack a parameter in the getConnection methods that carries > authentication information for connection based auth schemes. > > Ortwin > > > Pankaj Arora wrote: > > Thanks, That worked for me. Only thing that worries me is that > > connections don't persist now. It might be a performance issue. Only > > thing which I would like to know from you( as I am bit novice here)- > > what is the right behavior, my client not authenticating second time > > as connection is already authenticated or closing the connections to > > force authentication repeatedly. > > > > Thanks, Pankaj Arora. > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
