Hi Rich,
In addition to Thierry’s answer, we recently added support for the Authentication-Info HTTP header which can be used for preemptive DIGEST authentication. There is an org.restlet.data.AuthenticationInfo class and the Response#authenticationInfo for this. See the related issue for guidance: “Client support for HTTP Digest session keys for preemptive authentication” http://restlet.tigris.org/issues/show_bug.cgi?id=922 Best regards, Jerome Louvel -- Restlet ~ Founder and Technical Lead ~ <http://www.restlet.org/> http://www.restlet.org Noelios Technologies ~ <http://www.noelios.com/> http://www.noelios.com De : Thierry Boileau [mailto:[email protected]] Envoyé : jeudi 25 février 2010 18:55 À : [email protected] Objet : Re: Including DIGEST auth ChallengeResponse with initial request Hello Rich, the digest scheme requires the client to receive some data from the server in order to complete correctly the next request. The sample app shows that a first request is sent with unsufficient credentials, then the server sends back this necessary data. Here is the code that complete the ChallengeResponse object according to the server's data : // Complete the challengeResponse object according to the server's data // 1- Loop over the challengeRequest objects sent by the server. ChallengeRequest c1 = null; for (ChallengeRequest challengeRequest : r.getChallengeRequests()) { if (ChallengeScheme.HTTP_DIGEST.equals(challengeRequest.getScheme())) { c1 = challengeRequest; break; } } // 2- Create the Challenge response used by the client to authenticate its requests. ChallengeResponse challengeResponse = new ChallengeResponse(c1, r.getRequest(), r.getResponse(), "login","secret".toCharArray()); Then you can set this challengeResponse for the next request: r.setChallengeResponse(challengeResponse); At this time, you can send a request, it should be authenticated. Regarding any further requests, if the server want to make life easy, it can allow you to use the same creedentials for a certain period of time, or for a certain number of requests. But it can also oblige you to compute a new ChallengeResponse... It depends on the security policy of the server. Best regards, Thierry Boileau Everyone, Sorry about reposting, but I there has been no response to my post from a week ago. I currently have a RESLET 2.0m6 based client and server. They are setup to use DIGEST authentication (as shown in http://wiki.restlet.​org/docs_2.0/13-rest​let/27-restlet/46-re​stlet/112-restlet.ht​ml). Requests are working, except every that request is challenged and needs to be resent with the response. I am trying to include the correct ChallengeResponse with each new request, but I am missing how it should be constructed. After a challenge I build the ChallengeRespone as [[[challengeResponse = new ChallengeResponse(ch​allengeRequest,reque​st,response,userid,p​asswd); request.setChallenge​Response(challengeRe​sponse);]]] which works as expected. But when I am about to issue the next request after the resent challenged request completes I can not figure out how to build and attach the ChallengeResponse that is built based upon the last challenge received. To build the ChallengeResponse, I need to provide the request and response, but if I have not yet tried the request, what is the proper Response? Thanks for your help. Rich Thanks Rich ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447 <http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2452086> &dsMessageId=2452086 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2452564
