Hi Claudio, I worked on this a long time ago. As far as I remember, the Apache Jakarta Commons HttpClient library would attempt NTLM authentication if 'NTLM' is found in the 'WWW-Authenticate' header in the HTTP response. It would ignore 'Digest' in that case because NTLM authentication scheme is believed to be more secure than Digest authentication scheme. If you want to confirm this behaviour, you could try the Jakarta Commons HttpClient mailing list: http://hc.apache.org/httpclient-3.x/mail-lists.html
Could you please share the code where you are able to force the usage of Digest authentication scheme? This is the source file where the code for authentication in Nutch is written: http://svn.apache.org/viewvc/nutch/trunk/src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/Http.java?view=markup In lines 334 to 337 and 402 to 405, you can find that all credentials are set as NTCredentials objects. I don't have a solution for you yet. But I hope that this information would help you in some manner. Regards, Susam Pal On Tue, Jan 11, 2011 at 7:46 PM, Claudio Martella <[email protected]> wrote: > Hi, > > I'm trying to authenticate with HTTP through DIGEST. > > I set the <default scheme="DIGEST"/> in my conf. The webserver supports > ntlmv2 and digest. As ntlmv2 is not supported by httpclient, i'd like to > force to use digest. > The problem is that as both ntlm and digest are negotiated from the > webserver, nutch still tries only ntlm. > > Here are the logs: > 2011-01-11 15:10:53,800 TRACE httpclient.Http - Credentials - username: > cm; set as default for realm: 192.168.10.210:8090; scheme: digest > [...] > 2011-01-11 14:40:27,781 DEBUG wire.header - << "Server: > Microsoft-IIS/6.0[\r][\n]" > 2011-01-11 14:40:27,781 DEBUG wire.header - << "WWW-Authenticate: > Negotiate[\r][\n]" > 2011-01-11 14:40:27,782 DEBUG wire.header - << "WWW-Authenticate: > NTLM[\r][\n]" > 2011-01-11 14:40:27,782 DEBUG wire.header - << "WWW-Authenticate: Digest > qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v1df768737f223ab92f2de931c95b1cb01a23417361f3196f75258730e42c66de8880242a9455ccac90972955276d42451",charset=utf-8,realm="Digest"[\r][\n]" > [...] > 2011-01-11 15:10:53,885 DEBUG httpclient.HttpMethodDirector - > Authorization required > 2011-01-11 15:10:53,893 DEBUG auth.AuthChallengeProcessor - Supported > authentication schemes in the order of preference: [ntlm, digest, basic] > 2011-01-11 15:10:53,893 INFO auth.AuthChallengeProcessor - ntlm > authentication scheme selected > 2011-01-11 15:10:53,893 DEBUG auth.AuthChallengeProcessor - Using > authentication scheme: ntlm > 2011-01-11 15:10:53,893 DEBUG auth.AuthChallengeProcessor - > Authorization challenge processed > 2011-01-11 15:10:53,893 DEBUG httpclient.HttpMethodDirector - > Authentication scope: NTLM <any realm>@192.168.10.210:8090 > 2011-01-11 15:10:53,893 DEBUG httpclient.HttpMethodDirector - > Credentials required > 2011-01-11 15:10:53,893 DEBUG httpclient.HttpMethodDirector - > Credentials provider not available > 2011-01-11 15:10:53,893 INFO httpclient.HttpMethodDirector - No > credentials available for NTLM <any realm>@192.168.10.210:8090 > > By the way the documentation should be fixed. In order to see the > credentials set in the logs the log4j should be set to TRACE and not DEBUG. > > Why isn't the Digest scheme being tried at all? The credentials are set > and the server negotiates it. I wrote a sample httpclient application > that forces the usage of digest and it does authenticate. > > Any suggestion? > > Thanks > > Claudio > > > -- > Claudio Martella > Digital Technologies > Unit Research & Development - Analyst > > TIS innovation park > Via Siemens 19 | Siemensstr. 19 > 39100 Bolzano | 39100 Bozen > Tel. +39 0471 068 123 > Fax +39 0471 068 129 > [email protected] http://www.tis.bz.it > >
