Re: Problem disabling BASIC authentication

Tue, 29 Jul 2008 08:44:32 -0700 

Thanks as always to a prompt response that answers all my questions.

Sabari

On Tue, Jul 29, 2008 at 5:14 AM, Oleg Kalnichevski <[EMAIL PROTECTED]> wrote:

> Sabarivasan Viswanathan wrote:
>
>> Hello,
>>
>> I am having trouble disabling every scheme except DIGEST and sending
>> credentials preemptively.
>>
>> What I see when I use Wireshark is that the first HTTP request sends
>> credentials in BASIC mode. The server sends a 401 challenge after which
>> the
>> client sends the correct DIGEST credentials. For obvious security reasons,
>> I
>> want to avoid sending credentials in clear text using BASIC
>> authentication.
>>
>> If possible, I would also like to avoid the challenge step and use
>> preemptive authentication so that only 1 round trip is needed.
>>
>> Here is my code:
>>        HttpClient client = new HttpClient();
>>
>>        client.getState().setCredentials(new AuthScope("host", 80,
>> "securearea"),
>>                                         new
>> UsernamePasswordCredentials("username", "password");
>>
>>        List authPrefs = new ArrayList(1);
>>        authPrefs.add(AuthPolicy.DIGEST);
>>        client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY,
>> authPrefs);
>>
>>        client.getParams().setAuthenticationPreemptive(true);
>>
>>        PostMethod post = new PostMethod("http://host/resource";);
>>        post.setDoAuthentication(true);
>>
>>        int result = client.executeMethod(post);
>> ....
>>
>> I have noticed that if I uncomment the line that does
>> setAuthenticationPreemptive(true), the first request does not send any
>> credentials at all and the 2nd request uses DIGEST credentials
>> appropriately.
>>
>> Is there anything I am missing?
>>
>> Sabari
>>
>>
>>
> Sabarivasan,
>
> HttpClient 3.x can only authenticate preemptively using BASIC scheme.
> HttpClient 4.0 can optionally store the DIGEST challenge in the execution
> context and use it for preemptive authentication:
>
>
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/module-client/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java
>
> Preemptive authentication of any kind is generally discouraged, though.
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

Reply via email to