[jira] [Commented] (HTTPCLIENT-1344) Userinfo Credentials in URI Should Not Default to Preemptive Authentication

["James Leigh (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13639061#comment-13639061 ] 

James Leigh commented on HTTPCLIENT-1344:
-----------------------------------------

Humm, well I did find this http://tools.ietf.org/html/rfc1738#section-3.3, which states "No user name or password is allowed". Perhaps the userinfo should just be ignored...? Either way, the current behaviour of sending the password in the clear preemptively should be changed I think.
                
> Userinfo Credentials in URI Should Not Default to Preemptive Authentication
> ---------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1344
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1344
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.2.4
>            Reporter: James Leigh
>             Fix For: 4.3 Beta2
>
>
> When using a request like new HttpGet("http://user:pass@example.com/") HttpClient will send along Authorization: Basic header with the first request (even if the server uses Digest Access).
> The expected behaviour is for HttpClient to send a request with no user credentials at all, wait for the server to send a 401 response. Then based on the supported auth scheme, send another request with the credentials in a scheme that is supported by the server.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org