[
https://issues.apache.org/jira/browse/HTTPCLIENT-1599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14279347#comment-14279347
]
Marcos Scriven edited comment on HTTPCLIENT-1599 at 1/15/15 9:52 PM:
---------------------------------------------------------------------
Looking into this further, I thought it would be confusing for someone looking
at this code to see {{some-realm}}. What's that realm they'd ask?
I looked into the {{HttpClient}} code, and there's three places that realm
could potentially be accessed from:
* {{RFC2617Scheme.getParameters();}}
Only used in {{DigestScheme}} to add a parameter. Not used in any of the tests
* {{RFC2617Scheme.getParameter("realm");}}
Oddly used within {{DigestScheme}} rather than it's own {{getRealm()}} method
* {{RFC2617Scheme.getRealm();}}
Used in {{AuthenticationStrategyAdaptor}} which is deprecated
Used in {{AuthenticationStrategyImpl.select()}}, but defaults to
{{AuthScope.ANY_REALM}} if null
So, I think I've confirmed that the realm challenge is not used at all with
{{BasicScheme}}, and yet one is forced to specify one. Is the best I can do
just comment the line with "this realm is not used"?
The other thing is, even though realm isn't used, I still have to handle a
{{MalformedChallengeException}}
was (Author: marcosscriven):
Looking into this further, I thought it would be confusing for someone looking
at this code to see {{some-realm}}. What's that realm they'd ask?
I looked into the {{HttpClient}} code, and there's three places that realm
could potentially be accessed from:
* {{RFC2617Scheme.getParameters();}}
Only used in {{DigestScheme}} to add a parameter. Not used in any of the tests
* {{RFC2617Scheme.getParameter("realm");}}
Oddly used within {{DigestScheme}} rather than it's own {{getRealm()}} method
* {{RFC2617Scheme.getRealm();}}
Used in {{AuthenticationStrategyAdaptor}} which is deprecated
Used in {{AuthenticationStrategyImpl.select()}}, but defaults to
{{AuthScope.ANY_REALM}} if null
So, I think I've confirmed that the realm challenge is not used at all with
{{BasicScheme}}, and yet one is forced to specify one. Is the best I can do
just comment the line with "this realm is not used"?
> Need an alternative to the deprecated BasicScheme(ChallengeState)
> -----------------------------------------------------------------
>
> Key: HTTPCLIENT-1599
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1599
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.3.6
> Reporter: Marcos Scriven
> Priority: Minor
>
> The documentation for HttpClient 4 mentions the potential security issues
> around preemptive authentication.
> That notwithstanding, it provides the following solution
> (https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java)
> :
> {code}
> // Create AuthCache instance
> AuthCache authCache = new BasicAuthCache();
> // Generate BASIC scheme object and add it to the local
> // auth cache
> BasicScheme basicAuth = new BasicScheme();
> authCache.put(target, basicAuth);
> // Add AuthCache to the execution context
> HttpClientContext localContext = HttpClientContext.create();
> localContext.setAuthCache(authCache);
> {code}
> This works fine, except for proxy authentication. In {{BasicScheme}}, the
> authenticate method checks the ChallengeState:
> https://github.com/apache/httpclient/blob/trunk/httpclient/src/main/java/org/apache/http/impl/auth/BasicScheme.java#L173
> The solution thus would appear to be to set the ChallengeState to {{PROXY}}:
> {code}
> BasicScheme proxyScheme = new BasicScheme(ChallengeState.PROXY);
> {code}
> This works, but appears to have been deprecated, and there's no alternative
> way to set this without first receiving a proxy auth challenge response.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
