On Wed, Aug 24, 2011 at 11:25 AM, Oleg Kalnichevski <[email protected]> wrote:
>> Still: forcing the users to implement that code snippet every time >> they need to use preemptive auth is just this: forcing the user to do >> unnecessary stuff because you want to. >> You can and have put an explicit statement about why preemptive auth >> should be used carefully or best not used in the documentation >> everywhere (with javadoc its even available "during programming"), and >> this for sure will raise awareness at the users side, but the code to >> be implemented does not show at all that preemptive auth is not >> advised, it is just a PITA and this indicates a certain mindset of >> you. > > Please RTFM. trust me, I did. I guess you cannot see this, but all of the code is just self-serving boilerplate. You know, all I want to make httpclient do is sending this: GET /redmine/users/4.xml HTTP/1.1 Host: example.com Connection: Keep-Alive Authorization: Basic dTQxMzQ4MTp1NDEzNDgx instead of omitting the Authorization line in the first request and sending it only after a 401 was received. To me, libraries should be as useful as possible, making things easy, which is clearly not the case with httpclient and this particular issue - and all of this without a real need, but just because the lib dev thinks he is smarter and needs to force-educate his users. regards, christian > You are entitled to your opinion on the matter, I am entitled to mine. I > contend that preemptive authentication is conceptually flawed and poses > major security risks in the overwhelming majority of cases. In rare > special cases where preemptive authentication may have certain benefits, > the users are expected to command a certain understanding the concept of > credentials caching and should be capable of writing a few lines of code > to pre-populate the cache instead of just dumbly flipping a boolean > flag. > > Oleg > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
