On Wed, 2011-08-24 at 08:51 +0200, Christian Migowski wrote: > My sincere apologies, > > you are right, for some strange reasons I had httpclient 4.0.1 as well > in the classpath which did not have the mentioned field/method which > caused my errors. > > Still: forcing the users to implement that code snippet every time > they need to use preemptive auth is just this: forcing the user to do > unnecessary stuff because you want to. > You can and have put an explicit statement about why preemptive auth > should be used carefully or best not used in the documentation > everywhere (with javadoc its even available "during programming"), and > this for sure will raise awareness at the users side, but the code to > be implemented does not show at all that preemptive auth is not > advised, it is just a PITA and this indicates a certain mindset of > you.
Please RTFM. > > There are valid usecases for preemptive auth, I for example needed it > as a workaround for a bug in the server side program I want to > communicate with (if you are interested: > http://www.redmine.org/issues/9099 ) > You are entitled to your opinion on the matter, I am entitled to mine. I contend that preemptive authentication is conceptually flawed and poses major security risks in the overwhelming majority of cases. In rare special cases where preemptive authentication may have certain benefits, the users are expected to command a certain understanding the concept of credentials caching and should be capable of writing a few lines of code to pre-populate the cache instead of just dumbly flipping a boolean flag. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
