You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by "Mark A. Claassen" <MC...@ocie.net> on 2016/04/07 19:54:39 UTC
Proxy Authentication Strategy
Apache HTTPClient 4.4.1
I was doing some more tests with proxy authentication and I ran into something I didn't expect. AuthenticationStrategyImpl goes though the list of schemes ( SPNEGO, NTLM, ...) to find the ones that have "authentications". However, this goes through all of them and does not stop after it gets one.
I created a CredentialsProvider that prompts the user for a username and password for certain schemes. I was surprised to find out that this made my password dialog appeared too often. I configured my proxy server to allow for NTLM and DIGEST authentication schemes. Then using my HttpClient, I thought that if NTLM was higher in priority, and there were credentials for that, it would not continue to ask for credentials for the DIGEST scheme. However, it always goes through the whole list. Is this supposed to be this way?
Does this make sense with how proxy servers work? In my case, configuring the proxy server to allow NTML and DIGEST authentication means that it will allow access if *either* is specified, and does not require both.
It would be nice if AuthenticationStrategyImpl would stop searching once it found something, however there does not seem to be an easy way to handle this. This makes me think I might be doing something wrong. I thought a custom CredentialProvider would be the correct place to code in a password dialog. But maybe there is a better "hook" I can use to bring up the dialog, and then just put the information in the CredentialsProvider. Is there a better place to put this code?
It seems the only way to handle this is to re-write AuthenticationStrategyImpl, adding a single line so it will stop after the first non-null credentials are returned.
Thanks,
Mark
Disclaimer:
The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: Proxy Authentication Strategy
Posted by "Mark A. Claassen" <MC...@ocie.net>.
Thanks for the response. I can understand why it is that way.
However, if some of the schemes require user interaction, it gets a bit complicated. I would like to say I support NTML and DIGEST, but I don't want bring up a username / password dialog (for the DIGEST) if the NTML credentials are valid and I can use them without user interaction.
I guess I will code my client and provider to be smarter and keep track of all this so it can only prompt for passwords at appropriate times. I think I can get that to work as opposed to changing how HttpClient operates that loop.
Mark Claassen
Senior Software Engineer
Donnell Systems, Inc.
130 South Main Street
Leighton Plaza Suite 375
South Bend, IN 46601
E-mail: mailto:mclaassen@ocie.net
Voice: (574)232-3784
Fax: (574)232-4014
Disclaimer:
The opinions provided herein do not necessarily state or reflect those of Donnell Systems, Inc.(DSI). DSI makes no warranty for and assumes no legal liability or responsibility for the posting.
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: Saturday, April 09, 2016 5:45 AM
To: HttpClient User Discussion
Subject: Re: Proxy Authentication Strategy
On Thu, 2016-04-07 at 17:54 +0000, Mark A. Claassen wrote:
> Apache HTTPClient 4.4.1
>
> I was doing some more tests with proxy authentication and I ran into something I didn't expect. AuthenticationStrategyImpl goes though the list of schemes ( SPNEGO, NTLM, ...) to find the ones that have "authentications". However, this goes through all of them and does not stop after it gets one.
>
> I created a CredentialsProvider that prompts the user for a username and password for certain schemes. I was surprised to find out that this made my password dialog appeared too often. I configured my proxy server to allow for NTLM and DIGEST authentication schemes. Then using my HttpClient, I thought that if NTLM was higher in priority, and there were credentials for that, it would not continue to ask for credentials for the DIGEST scheme. However, it always goes through the whole list. Is this supposed to be this way?
It is. AuthenticationStrategyImpl does so to identify all auth schemes that can potentially be used to respond to the authentication challenges sent by the server. Naturally it can only do so if there are credentials matching the actual authentication scope.
>
>
> Does this make sense with how proxy servers work? In my case, configuring the proxy server to allow NTML and DIGEST authentication means that it will allow access if *either* is specified, and does not require both.
>
> It would be nice if AuthenticationStrategyImpl would stop searching once it found something, however there does not seem to be an easy way to handle this. This makes me think I might be doing something wrong. I thought a custom CredentialProvider would be the correct place to code in a password dialog. But maybe there is a better "hook" I can use to bring up the dialog, and then just put the information in the CredentialsProvider. Is there a better place to put this code?
>
> It seems the only way to handle this is to re-write AuthenticationStrategyImpl, adding a single line so it will stop after the first non-null credentials are returned.
>
There should be nothing stopping you from returning the same creds multiple times. You just need to make your implementation of CredentialsProvider a little smarter.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Proxy Authentication Strategy
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2016-04-07 at 17:54 +0000, Mark A. Claassen wrote:
> Apache HTTPClient 4.4.1
>
> I was doing some more tests with proxy authentication and I ran into something I didn't expect. AuthenticationStrategyImpl goes though the list of schemes ( SPNEGO, NTLM, ...) to find the ones that have "authentications". However, this goes through all of them and does not stop after it gets one.
>
> I created a CredentialsProvider that prompts the user for a username and password for certain schemes. I was surprised to find out that this made my password dialog appeared too often. I configured my proxy server to allow for NTLM and DIGEST authentication schemes. Then using my HttpClient, I thought that if NTLM was higher in priority, and there were credentials for that, it would not continue to ask for credentials for the DIGEST scheme. However, it always goes through the whole list. Is this supposed to be this way?
It is. AuthenticationStrategyImpl does so to identify all auth schemes
that can potentially be used to respond to the authentication challenges
sent by the server. Naturally it can only do so if there are credentials
matching the actual authentication scope.
>
>
> Does this make sense with how proxy servers work? In my case, configuring the proxy server to allow NTML and DIGEST authentication means that it will allow access if *either* is specified, and does not require both.
>
> It would be nice if AuthenticationStrategyImpl would stop searching once it found something, however there does not seem to be an easy way to handle this. This makes me think I might be doing something wrong. I thought a custom CredentialProvider would be the correct place to code in a password dialog. But maybe there is a better "hook" I can use to bring up the dialog, and then just put the information in the CredentialsProvider. Is there a better place to put this code?
>
> It seems the only way to handle this is to re-write AuthenticationStrategyImpl, adding a single line so it will stop after the first non-null credentials are returned.
>
There should be nothing stopping you from returning the same creds
multiple times. You just need to make your implementation of
CredentialsProvider a little smarter.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org