Re: Potential account lockouts when using authentication using concurrent http requests

Tue, 16 Sep 2008 14:25:48 -0700 

Hi Oleg,

I assume with credentials store you talks about the abstraction provided by
the CredentialsProvider interface which allows to set or get a credential
as well as to clear them.
I believe you are saying in HttpClient 4 managing the credential store is
entirely the responsibility of the application.
Therefore the get/clear methods would not be strictly needed, right?

See also my follow up questions below.

Thanks much,

Henrich


> When using HttpClient 4.0 one is advised to do the following:
>
> * populate the credentials store with the default credentials if
> available
> * execute the request
> * if the request fails with status code 401 or 407, prompt the user for
> new credentials
> * update the credentials store according to the user input
> * retry

I looked at the ClientInteractiveAuthentication example. Here are some
excerpts
        boolean trying = true;
        while (trying) {
..
            HttpResponse response = httpclient.execute(httpget,
localContext);
..
            HttpEntity entity = response.getEntity();
            if (entity != null) {
                entity.consumeContent();
            }

            int sc = response.getStatusLine().getStatusCode();

            AuthState authState = null;
            if (sc == HttpStatus.SC_UNAUTHORIZED) {
                // Target host authentication required
                authState = (AuthState) localContext.getAttribute
(ClientContext.TARGET_AUTH_STATE);
            }
            if (sc == HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED) {
                // Proxy authentication required
                authState = (AuthState) localContext.getAttribute
(ClientContext.PROXY_AUTH_STATE);
            }

            if (authState != null) {
..
                AuthScope authScope = authState.getAuthScope();
..
                System.out.print("Enter username: ");
                String user = console.readLine();
                System.out.print("Enter password: ");
                String password = console.readLine();

                if (user != null && user.length() > 0) {
                    Credentials creds = new UsernamePasswordCredentials
(user, password);
                    httpclient.getCredentialsProvider().setCredentials
(authScope, creds);
                    trying = true;
                } else {
                    trying = false;
                }
            } else {
                trying = false;
            }
        }

I would think that some state needs to be carried over when forming the
response (for digest scheme)
Is this done via the HttpContext (localContext) which is passed into each
execute() call?

>
> One can also use the same logic with HttpClient 3.x.
>
> Hope this helps
>
> Oleg
>
> > Thanks,
> >
> > Henrich
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

Reply via email to