[jira] [Commented] (HTTPCLIENT-1599) Need an alternative to the deprecated BasicScheme(ChallengeState)

Sat, 17 Jan 2015 03:22:50 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14281297#comment-14281297
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-1599:
-----------------------------------------------

Realm attribute is included in AuthScope, which can have an impact on whether 
or nor creds end up sent in clear text to the wrong people. Basic auth 
challenge would also be accepted without a realm.

{code:java}
BasicScheme basicScheme = new BasicScheme();
basicScheme.processChallenge(
        new BasicHeader(HttpHeaders.PROXY_AUTHENTICATE, "Basic "));
{code}

Oleg

> Need an alternative to the deprecated BasicScheme(ChallengeState)
> -----------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1599
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1599
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.3.6
>            Reporter: Marcos Scriven
>            Priority: Minor
>
> The documentation for HttpClient 4 mentions the potential security issues 
> around preemptive authentication.
> That notwithstanding, it provides the following solution 
> (https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java)
>  :
> {code}
>          // Create AuthCache instance
>             AuthCache authCache = new BasicAuthCache();
>             // Generate BASIC scheme object and add it to the local
>             // auth cache
>             BasicScheme basicAuth = new BasicScheme();
>             authCache.put(target, basicAuth);
>             // Add AuthCache to the execution context
>             HttpClientContext localContext = HttpClientContext.create();
>             localContext.setAuthCache(authCache);
> {code}
> This works fine, except for proxy authentication. In {{BasicScheme}}, the 
> authenticate method checks the ChallengeState: 
> https://github.com/apache/httpclient/blob/trunk/httpclient/src/main/java/org/apache/http/impl/auth/BasicScheme.java#L173
> The solution thus would appear to be to set the ChallengeState to {{PROXY}}:
> {code}
> BasicScheme proxyScheme = new BasicScheme(ChallengeState.PROXY);
> {code}
> This works, but appears to have been deprecated, and there's no alternative 
> way to set this without first receiving a proxy auth challenge response.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to