Well, it kinda works. I've noticed at least two problems:
1. In WebdavSession, there's code that says:
if (hostCredentials != null) {HttpState clientState = client.getState();
clientState.setCredentials(null, httpURL.getHost(),
hostCredentials);
clientState.setAuthenticationPreemptive(true);
}
If I understand the discussion at http://jakarta.apache.org/commons/httpclient/authentication.html, this is very wrong. Just because I've supplied credentials does NOT necessarily mean I want to authenticate preemptively, particularly since that only sends the Basic: scheme preemptively. For NTLM, I don't want to bother with Basic at all. Furthermore, it makes it impossible to turn it off, since you aren't respecting the system settings in HttpState:
wdr.retrieveSessionInstance().getState().setAuthenticationPreemptive(false); System.out.println(wdr.retrieveSessionInstance().getState().isAuthenticationPreemptive()); ==> "true"
2. I've had to avoid using WebdavResource.putMethod(), because it does not expose PutMethod.setUseExpectHeader(). From the documentation:
Activates 'Expect: 100-Continue' handshake. The purpose of the 'Expect: 100-Continue' handshake to allow a client that is sending a request message with a request body to determine if the origin server is willing to accept the request (based on the request headers) before the client sends the request body.
The use of the 'Expect: 100-continue' handshake can result in noticable peformance improvement for entity enclosing requests (such as POST and PUT) that require the target server's authentication.
'Expect: 100-continue' handshake should be used with caution, as it may cause problems with HTTP servers and proxies that do not support HTTP/1.1 protocol.
...but beyond the performance win, when using with IIS on Microsoft Server >= 2000 the expect-continue handshake is AFAICT mandatory. Otherwise, the server throws a 500 error. It would be really, really nice if this option were either exposed or simply turned on by default for WebdavResource.putMethod; with appropriate support sniffing, of course.
--Matthew Beermann
----- Original Message ----- From: "Ingo Brunberg" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 12, 2004 2:19 AM
Subject: Re: Client & NTLM Authentication
In WebdavResource there are constructors where you can supply your credentials, for example: public WebdavResource(String escapedHttpURL, Credentials credentials)
And I have got at least one report that it works.
Ingo
I'm trying to figure out how to use NTLM authentication with the Slide =
client. It seemed straightforward enough at first: use =
retrieveSessionInstance() to get at the underlying HttpClient, then tell =
it to use NTLM credentials.
But I've run into a chicken-and-egg problem: you must supply =
WebdavResource with some sort of URI in order to construct it, and for =
me that URI will fail (throw a 401 exception) until the correct =
credentials have been supplied. But, there's no way to get to the =
underlying HttpClient and set the credentials until after the object has =
been successfully constructed! How do I get around this?
--Matthew Beermann
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
