On Wed, 2008-08-20 at 11:19 +0200, Sebastiaan van Erk wrote: > Hi, > > I'm still trying to get different types of authentication to work, this > time I'm testing with Microsoft ISA Server 2006 (which seems pretty > broken). I got basic to work with a ResponseInterceptor to pick of the > auth from a successful small request preceding a large request, and then > using preemptive from then on the large POSTS. However, I'm having > trouble with DIGEST. > > >> Oleg Kalnichevski wrote: > >> > >>> HttpClient 4.0 can be customized to support preemptive authentication > >>> using BASIC or DIGEST schemes. NTLM cannot be used preemptively in > >>> principle. > > Just to clarify my understanding: DIGEST can only be used preemptively > when the server accepts the reuse of a previously used nonce right?
Absolutely right. > That > is, if the proxy server requires a new DIGEST challenge/response every > request, then preemptive DIGEST auth will (by definition) fail? > Yes, it will > >> Ok, I was afraid of that. Does that mean that I am forced to use > >> expect/continue with non-repeatable requests? > >> > > I am afraid so. Another alternative would be to execute a GET or a HEAD > > request to make sure credentials are OK before executing a POST with a > > large entity. The good thing about NTLM authentication scheme is that > > one has only to authenticate once. NTLM authentication is connection > > based. A persistent HTTP connection will retain its NTLM context as long > > as it remains open. > > Ok, I'm testing with MS ISA 2006 as mentioned above. It seems to be very > broken: when doing expect/continue it will *ALWAYS* respond 100 Continue > when doing a POST, only to fail with a 407 the second you start sending > data. I am not aware of any HTTP proxy that supports the expect/continue handshaking fully. I believe Squid also supports it only partially. > This breaks non-repeatable POSTS with DIGEST authentication, and I > can't use the preemptive DIGEST using authentication from a previous > request, since ISA requires a new challenge/response on the every > request (even in the same connection). > > >>> The use of preemptive authentication is discouraged (or at least not > >>> promoted). However, one can easily add preemptive authentication > >>> capabilities using custom protocol interceptors. See samples above. > >> > >> Ok, I'll give the interceptors a shot. The reason I want (need?) > >> preemptive authentication is because some proxies do not support > >> expect/continue and I have non-repeatable posts (multi-megabyte size). > >> > > An HTTP GET or HEAD preceding a POST with a large content entity is the > > way to go. > > This works with NTLM (connection based), but not with DIGEST (at least > on ISA). Do you have any ideas how to go about it with DIGEST? > I do not see an easy way around this problem. The only possibility would be to configure the ISA to update the nonce value less frequently. Oleg > Regards, > Sebastiaan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
