Hi,Unfortunately the HEAD option is not very stable either. The nonce is usable only once as well, so in the next post it is no good anymore. However, if I set the nonce preemptively using the request/response interceptor method ISA will say 407 but httpclient will not try again, which will mean that due to the response interceptor the new DIGEST auth has been saved and it will work for the next POST.
I don't really understand why httpclient does retry the request when there is no auth preemptively set, but does not retry the request when there is.
Also I'm afraid this solution is very brittle: if the HTTP target requires any kind of digest authentication I'm sure this will completely fail.
The only thing I can really think of is to somehow make the POST repeatable (buffer it?). Is the value of isRepeatable() allowed to change? I.e. it is repeatable as long as we're in the first 4096 bytes of the stream (the buffer), but after that, it is no more? I can't buffer multimegabytes, but as long as I can buffer the enough to handle the authentication, it should do the trick...
Regards, Sebastiaan Sebastiaan van Erk wrote:
Just as I replied to this message, I noticed that I had not tried the HEAD option which you suggested.I tried it, and it does in fact work with DIGEST. Thanks! Regards, Sebastiaan Sebastiaan van Erk wrote:Hi,I'm still trying to get different types of authentication to work, this time I'm testing with Microsoft ISA Server 2006 (which seems pretty broken). I got basic to work with a ResponseInterceptor to pick of the auth from a successful small request preceding a large request, and then using preemptive from then on the large POSTS. However, I'm having trouble with DIGEST.Oleg Kalnichevski wrote:HttpClient 4.0 can be customized to support preemptive authentication using BASIC or DIGEST schemes. NTLM cannot be used preemptively in principle.Just to clarify my understanding: DIGEST can only be used preemptively when the server accepts the reuse of a previously used nonce right? That is, if the proxy server requires a new DIGEST challenge/response every request, then preemptive DIGEST auth will (by definition) fail?Ok, I was afraid of that. Does that mean that I am forced to use expect/continue with non-repeatable requests?I am afraid so. Another alternative would be to execute a GET or a HEAD request to make sure credentials are OK before executing a POST with a large entity. The good thing about NTLM authentication scheme is that one has only to authenticate once. NTLM authentication is connection based. A persistent HTTP connection will retain its NTLM context as long as it remains open.Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be very broken: when doing expect/continue it will *ALWAYS* respond 100 Continue when doing a POST, only to fail with a 407 the second you start sending data. This breaks non-repeatable POSTS with DIGEST authentication, and I can't use the preemptive DIGEST using authentication from a previous request, since ISA requires a new challenge/response on the every request (even in the same connection).The use of preemptive authentication is discouraged (or at least not promoted). However, one can easily add preemptive authentication capabilities using custom protocol interceptors. See samples above.Ok, I'll give the interceptors a shot. The reason I want (need?) preemptive authentication is because some proxies do not support expect/continue and I have non-repeatable posts (multi-megabyte size).An HTTP GET or HEAD preceding a POST with a large content entity is the way to go.This works with NTLM (connection based), but not with DIGEST (at least on ISA). Do you have any ideas how to go about it with DIGEST?Regards, Sebastiaan
smime.p7s
Description: S/MIME Cryptographic Signature
