Hi willyh.
what is missing is a way to preemptively authenticate your request with
the Digest scheme (see RFE #288
http://restlet.tigris.org/issues/show_bug.cgi?id=288). As you will see,
it's a little bit more difficult than with the Basic authentication.
In a few words, the server sends a list of values to the client that the
client must use in order to generate a digest value according to an
algorithm ("MD5" for example). Thus, it requires you to know in advance
(which is mostly no the case) or to discover these values. That is to
say, you need to make one request, get the values sent by the server and
use them in order to generate a proper ChallengeResponse object to your
request.
For example, you want to request the "http:/localhost:8182/".
At the first attempt, you get back this "WWW-Authenticate" header from
the server:
Digest realm="realm", domain="null", qop="auth", algorithm=MD5,
nonce="MTIxMjY1NDAwNjIzMzo2MWRhMTQ0MTRkOGQyNzkxMWNjNGU0MTM1ZmM4OTlkNw=="
Then, you use the values in order to generate the following
"Authorization" header.
Digest username="login", realm="realm",
nonce="MTIxMjY1NDAwNjIzMzo2MWRhMTQ0MTRkOGQyNzkxMWNjNGU0MTM1ZmM4OTlkNw==",
uri="/", algorithm=MD5, response="8888181e0c231df689bcb737460f8368",
qop=auth
Feel free to ask any more questions.
best regards,
Thierry Boileau
ps : I send you a sample code with such two-phases request. Let's say
that your login/password is "login/secret".
Reference reference = new Reference("http://localhost:8182/";);
// first request
Client client = new Client(Protocol.HTTP);
Request request = new Request(Method.GET, reference);
Response response = client.handle(request);
// second request
response.getChallengeRequest().getParameters();
// Get the values sent by the server
request = new Request(Method.GET, reference);
challengeResponse = new
ChallengeResponse(ChallengeScheme.HTTP_DIGEST,
"login", "secret");
// Prepare the ChallengeResponse parameters
Form form = new Form();
// Your login
form.add("username", "login");
form.add("uri", reference.getPath());
// Retrieve values sent by the server
form.add(response.getChallengeRequest().getParameters().getFirst("nonce"));
form.add(response.getChallengeRequest().getParameters().getFirst("realm"));
form.add(response.getChallengeRequest().getParameters().getFirst("domain"));
form.add(response.getChallengeRequest().getParameters().getFirst("algorithm"));
form.add(response.getChallengeRequest().getParameters().getFirst("qop"));
// Generate some digest values with your login, password, realm,
request method, and URI path.
String a1 =
Engine.getInstance().toMd5(form.getFirstValue("login") + ":" +
form.getFirstValue("realm") + ":" + "secret");
String a2 = Engine.getInstance().toMd5(request.getMethod() + ":"
+ form.getFirstValue("uri"));
// the "response" parameter is the final digest value. (its
value may differ if the server sends these parameters: "cnonce" and "nc")
form.add("response", Engine.getInstance().toMd5(a1 + ":" +
form.getFirstValue("nonce") + ":" + a2));
challengeResponse.setCredentialComponents(form);
request.setChallengeResponse(challengeResponse);
response = client.handle(request);
Hi willyh,
I've had already problems with the digest authentication. But I used
basic, because it was not important for me.
best rrgards
Stephan
willyh schrieb:
Using HTTP_DIGEST authentication fails on a POST method. The
HttpClient library
logs the following:
Authentication requested but doAuthentication is disabled
I see the same result using Restlet 1.0.10 and Restlet 1.1M4. I
suspect this is
only a client issue. Has anyone else encountered this?
