Thierry,
Thanks for the reply. We are in sync as far as your description goes.
The server is a restlet server where I setup the authentication guard as follows
ArrayList<Reference> domainRefs = new ArrayList<Reference>();
domainRefs.add(new Reference("/"));
DigestAuthenticator da = new DigestAuthenticator(getContext(),false,"test"
domainRefs,"serverKey");
da.setWrappedVerifier (UserStore.getUserStore() );
da.setNext(filter);
My understanding from the API doc is that this should default to the nonce
being valid for 5 minutes.
Now once I have issued a request, been challenged, created a valid
challengeResponse, resent the request, and received the final response after
server authentication succeeded, how do I construct the next request to include
the proper ChallengeResponse to allow immediate authentication, as long as the
5 min period has not expired.
I have tried
request.setChallengeResponse(challengeResponse_used_on_last_request) but this
always gets challenged.
I also tried to create a new ChallengeResponse for the new request from the
ChallengeRequest received on the challenge that was sucessfully replied to. The
ChallengeResponse constructor requires a Response so I used new
Response(request). The net result is the same, the request is challenged and I
have to reissue it with a new ChallengeResponse.
Do you have any ideas about what I am missing? I would really like to eliminate
the need for two round trips for every request.
Thanks
Rich
> Hello Rich,
>
> the digest scheme requires the client to receive some data from the
> server in order to complete correctly the next request. The sample app
> shows that a first request is sent with unsufficient credentials, then
> the server sends back this necessary data.
> Here is the code that complete the ChallengeResponse object according to
> the server's data :
>
> // Complete the challengeResponse object according to the server's data
> // 1- Loop over the challengeRequest objects sent by the server.
> ChallengeRequest c1 = null;
> for (ChallengeRequest challengeRequest : r.getChallengeRequests()) {
> if (ChallengeScheme.HTTP_DIGEST.equals(challengeRequest.getScheme())) {
> c1 = challengeRequest;
> break;
> }
> }
>
> // 2- Create the Challenge response used by the client to authenticate
> its requests.
> ChallengeResponse challengeResponse = new ChallengeResponse(c1,
> r.getRequest(), r.getResponse(), "login","secret".toCharArray());
>
> Then you can set this challengeResponse for the next request:
> r.setChallengeResponse(challengeResponse);
>
> At this time, you can send a request, it should be authenticated.
>
> Regarding any further requests, if the server want to make life easy, it
> can allow you to use the same creedentials for a certain period of time,
> or for a certain number of requests. But it can also oblige you to
> compute a new ChallengeResponse... It depends on the security policy of
> the server.
>
> Best regards,
> Thierry Boileau
>
> > Everyone,
> >
> > Sorry about reposting, but I there has been no response to my post from a
> > week ago.
> >
> > I currently have a RESLET 2.0m6 based client and server. They are setup to
> > use DIGEST authentication (as shown in http://wiki.restlet.âEUR
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2452548
