You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Karl Wright <da...@gmail.com> on 2019/01/03 16:33:01 UTC
Pre-emptive authorization
Hi Oleg et al,
One ManifoldCF user has an unusual requirement for basic auth that requires
the auth header to be sent pre-emptively, not as a consequence of receiving
a 401 response. He proposes the following patch for ManifoldCF, but I
wonder whether there's a better way to do this with existing
HttpComponents/HttpClient code.
Here's the patch link:
https://issues.apache.org/jira/secure/attachment/12953640/CONNECTORS-1564.patch
Any thoughts?
Karl
Re: Pre-emptive authorization
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-01-03 um 22:10 schrieb Karl Wright:
> Well, I don't actually see anything wrong with the idea of sending the auth
> header right up front and not requiring a whole extra back-and-forth to
> authorize. NTLM needs that but basic auth doesn't in theory. What is
> wrong with what they are doing? Do you have a spec I can present to them?
I state that no auth mech requires that because the first request with
Expect: 100-continue is so small that is shall work.
Did you actually try that with NTLM? But it violates RFC 7235 anyway.
RFC 7235, chapter 2.1 says
>
> A user agent that wishes to authenticate itself with an origin server
> -- usually, but not necessarily, after receiving a 401 (Unauthorized)
> -- can do so by including an Authorization header field with the
> request.
So, I guess it is fine doing so, but not by default. You aren't showing
your ID to people unless you have been asked for, right?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: Pre-emptive authorization
Posted by Karl Wright <da...@gmail.com>.
Well, I don't actually see anything wrong with the idea of sending the auth
header right up front and not requiring a whole extra back-and-forth to
authorize. NTLM needs that but basic auth doesn't in theory. What is
wrong with what they are doing? Do you have a spec I can present to them?
Karl
On Thu, Jan 3, 2019 at 12:21 PM Michael Osipov <mi...@apache.org> wrote:
> Am 2019-01-03 um 17:33 schrieb Karl Wright:
> > Hi Oleg et al,
> >
> > One ManifoldCF user has an unusual requirement for basic auth that
> requires
> > the auth header to be sent pre-emptively, not as a consequence of
> receiving
> > a 401 response. He proposes the following patch for ManifoldCF, but I
> > wonder whether there's a better way to do this with existing
> > HttpComponents/HttpClient code.
> >
> > Here's the patch link:
> >
> >
> https://issues.apache.org/jira/secure/attachment/12953640/CONNECTORS-1564.patch
> >
> > Any thoughts?
>
> I consider this to be a solution to a symptom, not a problem.
>
> Michael
>
Re: Pre-emptive authorization
Posted by Michael Osipov <mi...@apache.org>.
Am 2019-01-03 um 17:33 schrieb Karl Wright:
> Hi Oleg et al,
>
> One ManifoldCF user has an unusual requirement for basic auth that requires
> the auth header to be sent pre-emptively, not as a consequence of receiving
> a 401 response. He proposes the following patch for ManifoldCF, but I
> wonder whether there's a better way to do this with existing
> HttpComponents/HttpClient code.
>
> Here's the patch link:
>
> https://issues.apache.org/jira/secure/attachment/12953640/CONNECTORS-1564.patch
>
> Any thoughts?
I consider this to be a solution to a symptom, not a problem.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
Re: Pre-emptive authorization
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2019-01-03 at 11:33 -0500, Karl Wright wrote:
> Hi Oleg et al,
>
> One ManifoldCF user has an unusual requirement for basic auth that
> requires
> the auth header to be sent pre-emptively, not as a consequence of
> receiving
> a 401 response. He proposes the following patch for ManifoldCF, but
> I
> wonder whether there's a better way to do this with existing
> HttpComponents/HttpClient code.
>
> Here's the patch link:
>
>
https://issues.apache.org/jira/secure/attachment/12953640/CONNECTORS-1564.patch
>
> Any thoughts?
>
> Karl
Hi Karl
Could you please ask the contributor if he has considered using
AuthCache to implement preemptive BASIC authentication as described
here?
http://hc.apache.org/httpcomponents-client-4.5.x/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org