You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Blanc, Isabelle" <Is...@mairie-paris.fr> on 2003/12/31 16:42:33 UTC
authentication ...
Hi everybody :)
and first of all, I wish you all an happy new year :))
and now is my question/remark (i don't know if it's better to post it here, or in the user mailing list, or as a comment in bugzilla, but I don't want to cross post, so for now I post it only here - let me know if I should cross post or add a comment in bugzilla) :
- the proxy I had to go though was using NTLM, and I checkouted the HTTPCLIENT_2_0_BRANCH tag sources from cvs.
- then the sysadmin decided to open a door for me in the proxy that would use only basic authentication. So i though that replacing the NTCredentials with UsernamePasswordCredentials would be enough - and it wasn't. The code was still returning a 407 - which is weird with basic auth.
- I finally found out where the "error" was (and now it works fine - only for me tho), but I can't decide if it's because of the proxy (that returns a "wrong" answer) or because of commons/httpclient code :
* the proxy returns these challenges, in this order : ntlm - basic - kerberos - negotiate
* in HttpAuthenticator.selectAuthScheme, after having built the challengemap, you go like :
...
challenge = (String) challengemap.get("ntlm");
if (challenge != null) {
return new NTLMScheme(challenge);
}
challenge = (String) challengemap.get("digest");
if (challenge != null) {
return new DigestScheme(challenge);
}
challenge = (String) challengemap.get("basic");
if (challenge != null) {
return new BasicScheme(challenge);
}
...
I only commented out the 4 lines about NTLM (i know it's quick & dirty but .. i had to make it work before 2004 ;] !)
Anyway, does it mean that the proxy should NOT return any ntlm challenge if it expects a basic auth, even if it's for one single realm (all other realms (domains for ntlm) use NTLM auth) ?
Or does it mean there's something here in the code that needs to be twisted (like, the only challenge that actually has a "value" is the basic one : if i print the challenge map i get
ntlm--NTLM
basic--Basic realm="hidden-sorry"
kerberos--Kerberos
negotiate--Negotiate
) ??
that was my 2 cents ....
hope you'll all have a nice nice new year's eve tonight :o) !
Isa
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: authentication ...
Posted by Steve Vaughan <sn...@yahoo.com>.
We ran into the same problem (and used the same temporary workaround). It
seems to me that HttpAuthenticator.selectAuthScheme should take into account
the credentials that are available, skipping authentications schemes without
credentials. In your case, since you only provided
UsernamePasswordCredentials, NTLM couldn't possibly work so it shouldn't have
been selected by the code.
-Steve
On Wednesday 31 December 2003 10:42 am, Blanc, Isabelle wrote:
> Hi everybody :)
>
> and first of all, I wish you all an happy new year :))
>
> and now is my question/remark (i don't know if it's better to post it here,
> or in the user mailing list, or as a comment in bugzilla, but I don't want
> to cross post, so for now I post it only here - let me know if I should
> cross post or add a comment in bugzilla) :
>
> - the proxy I had to go though was using NTLM, and I checkouted the
> HTTPCLIENT_2_0_BRANCH tag sources from cvs. - then the sysadmin decided to
> open a door for me in the proxy that would use only basic authentication.
> So i though that replacing the NTCredentials with
> UsernamePasswordCredentials would be enough - and it wasn't. The code was
> still returning a 407 - which is weird with basic auth. - I finally found
> out where the "error" was (and now it works fine - only for me tho), but I
> can't decide if it's because of the proxy (that returns a "wrong" answer)
> or because of commons/httpclient code : * the proxy returns these
> challenges, in this order : ntlm - basic - kerberos - negotiate * in
> HttpAuthenticator.selectAuthScheme, after having built the challengemap,
> you go like : ...
> challenge = (String) challengemap.get("ntlm");
> if (challenge != null) {
> return new NTLMScheme(challenge);
> }
> challenge = (String) challengemap.get("digest");
> if (challenge != null) {
> return new DigestScheme(challenge);
> }
> challenge = (String) challengemap.get("basic");
> if (challenge != null) {
> return new BasicScheme(challenge);
> }
> ...
>
> I only commented out the 4 lines about NTLM (i know it's quick & dirty but
> .. i had to make it work before 2004 ;] !) Anyway, does it mean that the
> proxy should NOT return any ntlm challenge if it expects a basic auth, even
> if it's for one single realm (all other realms (domains for ntlm) use NTLM
> auth) ? Or does it mean there's something here in the code that needs to be
> twisted (like, the only challenge that actually has a "value" is the basic
> one : if i print the challenge map i get ntlm--NTLM
> basic--Basic realm="hidden-sorry"
> kerberos--Kerberos
> negotiate--Negotiate
> ) ??
>
> that was my 2 cents ....
> hope you'll all have a nice nice new year's eve tonight :o) !
>
> Isa
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org For additional
> commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: preemptive authentication ...
Posted by Michael Becke <be...@u.washington.edu>.
Hi Sid,
HttpClient only supports using Basic authentication preemptively. This
is because both NTLM, and Digest require values sent by the server as
part of the Authorization request to create the authorization response.
Mike
On Jan 2, 2004, at 4:15 PM, Sid Subr wrote:
> on the same note of preemptive authentication.. I know
> this question sounds dumb (when I read back the
> contents)
> but is there a way to send the authentication
> digest/credentials with the first request so that the
> request does not get challenged?
>
> after reading preemptive authentication for
> httpclient in the authentication doc.. it seems this
> preemptiveness is only possible with basic
> authentication.. is this true?
>
> Sid
>
> __________________________________
> Do you Yahoo!?
> Find out what made the Top Yahoo! Searches of 2003
> http://search.yahoo.com/top2003
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
preemptive authentication ...
Posted by Sid Subr <si...@yahoo.com>.
on the same note of preemptive authentication.. I know
this question sounds dumb (when I read back the
contents)
but is there a way to send the authentication
digest/credentials with the first request so that the
request does not get challenged?
after reading preemptive authentication for
httpclient in the authentication doc.. it seems this
preemptiveness is only possible with basic
authentication.. is this true?
Sid
__________________________________
Do you Yahoo!?
Find out what made the Top Yahoo! Searches of 2003
http://search.yahoo.com/top2003
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: authentication ...
Posted by Sid Subr <si...@yahoo.com>.
on the same note of authentication.. I know this
question sounds dumb (when I read back the contents)
but
is there a way to send the authentication
digest/credentials with the first request so that the
request does not get challenged?
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
Re: authentication ...
Posted by Michael Becke <be...@u.washington.edu>.
Hi Isabelle,
Happy New Year!
This is a known problem with HttpClient. Bug #15297
<http://issues.apache.org/bugzilla/show_bug.cgi?id=15297>. The plan is
to add a configuration option for specifying the order in which auth
challenges are processed. You should be able to work around this by
using preemptive authentication, see
HttpState.setAuthenticationPreemptive().
Mike
On Dec 31, 2003, at 10:42 AM, Blanc, Isabelle wrote:
> Hi everybody :)
>
> and first of all, I wish you all an happy new year :))
>
> and now is my question/remark (i don't know if it's better to post it
> here, or in the user mailing list, or as a comment in bugzilla, but I
> don't want to cross post, so for now I post it only here - let me know
> if I should cross post or add a comment in bugzilla) :
>
> - the proxy I had to go though was using NTLM, and I checkouted the
> HTTPCLIENT_2_0_BRANCH tag sources from cvs.
> - then the sysadmin decided to open a door for me in the proxy that
> would use only basic authentication. So i though that replacing the
> NTCredentials with UsernamePasswordCredentials would be enough - and
> it wasn't. The code was still returning a 407 - which is weird with
> basic auth.
> - I finally found out where the "error" was (and now it works fine -
> only for me tho), but I can't decide if it's because of the proxy
> (that returns a "wrong" answer) or because of commons/httpclient code
> :
> * the proxy returns these challenges, in this order : ntlm - basic -
> kerberos - negotiate
> * in HttpAuthenticator.selectAuthScheme, after having built the
> challengemap, you go like :
> ...
> challenge = (String) challengemap.get("ntlm");
> if (challenge != null) {
> return new NTLMScheme(challenge);
> }
> challenge = (String) challengemap.get("digest");
> if (challenge != null) {
> return new DigestScheme(challenge);
> }
> challenge = (String) challengemap.get("basic");
> if (challenge != null) {
> return new BasicScheme(challenge);
> }
> ...
>
> I only commented out the 4 lines about NTLM (i know it's quick & dirty
> but .. i had to make it work before 2004 ;] !)
> Anyway, does it mean that the proxy should NOT return any ntlm
> challenge if it expects a basic auth, even if it's for one single
> realm (all other realms (domains for ntlm) use NTLM auth) ?
> Or does it mean there's something here in the code that needs to be
> twisted (like, the only challenge that actually has a "value" is the
> basic one : if i print the challenge map i get
> ntlm--NTLM
> basic--Basic realm="hidden-sorry"
> kerberos--Kerberos
> negotiate--Negotiate
> ) ??
>
> that was my 2 cents ....
> hope you'll all have a nice nice new year's eve tonight :o) !
>
> Isa
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org