Sebastiaan van Erk wrote:
Hi,
Thanks for your helpful answers, as usual. :-)
Oleg Kalnichevski wrote:
HttpClient 4.0 can be customized to support preemptive authentication
using BASIC or DIGEST schemes. NTLM cannot be used preemptively in
principle.
Hi Sebastiaan
Ok, I was afraid of that. Does that mean that I am forced to use
expect/continue with non-repeatable requests?
I am afraid so. Another alternative would be to execute a GET or a HEAD
request to make sure credentials are OK before executing a POST with a
large entity. The good thing about NTLM authentication scheme is that
one has only to authenticate once. NTLM authentication is connection
based. A persistent HTTP connection will retain its NTLM context as long
as it remains open.
Second question: when I register credentials with httpclient, I can
only set them once. So how can set the correct credentials if I
don't yet know the auth type? Or should I use the first request to
determine the auth type? Currently there are
UsernamePasswordCredentials (for BASIC and DIGEST) and NTCredentials
(for NTLM). Or is it possible to *always* just use NTCredentials for
the other auth types as well?
Yes, it is. NTCredentials are perfectly valid for non-NTLM
authentication schemes.
Ok, that's great. :-) Does it just ignore the domain and workstation
parts then?
HttpClient will ignore the workstation part but will use the domain part
to construct a fully qualified domain user name.
Currently I'm using the
InetAddress.getLocalHost().getCanonicalHostName() to initialize the
workstation/hostname, and I'm splitting the supplied into a domain and
username (so if the user types DOMAIN\username I split it into the two
components). The only thing this might then break is if BASIC or
DIGEST is used and it was meant to send the whole DOMAIN\username
combination as the user name (I have seen it used that way in real
life configurations, i.e., you have to authenticate with BASIC using
DOMAIN\username as the user name).
If you supply user credentials as an NTCredentials instance, HttpClient
will automatically use a fully qualified domain user name with BASIC and
DIGEST schemes.
The use of preemptive authentication is discouraged (or at least not
promoted). However, one can easily add preemptive authentication
capabilities using custom protocol interceptors. See samples above.
Ok, I'll give the interceptors a shot. The reason I want (need?)
preemptive authentication is because some proxies do not support
expect/continue and I have non-repeatable posts (multi-megabyte size).
An HTTP GET or HEAD preceding a POST with a large content entity is the
way to go.
Hope this helps
Oleg
Hope this helps
Yes, very much. :-)
Oleg
Regards,
Sebastiaan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
