Sabarivasan Viswanathan wrote:
Hello,
I am having trouble disabling every scheme except DIGEST and sending
credentials preemptively.
What I see when I use Wireshark is that the first HTTP request sends
credentials in BASIC mode. The server sends a 401 challenge after which the
client sends the correct DIGEST credentials. For obvious security reasons, I
want to avoid sending credentials in clear text using BASIC authentication.
If possible, I would also like to avoid the challenge step and use
preemptive authentication so that only 1 round trip is needed.
Here is my code:
HttpClient client = new HttpClient();
client.getState().setCredentials(new AuthScope("host", 80,
"securearea"),
new
UsernamePasswordCredentials("username", "password");
List authPrefs = new ArrayList(1);
authPrefs.add(AuthPolicy.DIGEST);
client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY,
authPrefs);
client.getParams().setAuthenticationPreemptive(true);
PostMethod post = new PostMethod("http://host/resource";);
post.setDoAuthentication(true);
int result = client.executeMethod(post);
....
I have noticed that if I uncomment the line that does
setAuthenticationPreemptive(true), the first request does not send any
credentials at all and the 2nd request uses DIGEST credentials
appropriately.
Is there anything I am missing?
Sabari
Sabarivasan,
HttpClient 3.x can only authenticate preemptively using BASIC scheme.
HttpClient 4.0 can optionally store the DIGEST challenge in the
execution context and use it for preemptive authentication:
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/module-client/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java
Preemptive authentication of any kind is generally discouraged, though.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
