You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@camel.apache.org by "Richard Kettelerij (JIRA)" <ji...@apache.org> on 2011/06/09 10:39:58 UTC

[jira] [Issue Comment Edited] (CAMEL-4056) Enable preemptive basic authentication by default

    [ https://issues.apache.org/jira/browse/CAMEL-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13046399#comment-13046399 ] 

Richard Kettelerij edited comment on CAMEL-4056 at 6/9/11 8:38 AM:
-------------------------------------------------------------------

Willem, Claus,

Thanks for reporting. I was also thinking about the same, we shouldn't enable preemptive auth by default since it's a potential security risk (although we already allow authentication against arbitrary realms and hosts, which might be a bigger security risk). I'll make this setting non-default asap. Furthermore I'm working on getting it running in {{camel-http4}}. 

      was (Author: rkettelerij):
    Willem, Claus,

Thanks for reporting. I was also thinking about the same, we shouldn't enable preemptive auth by default since it's a potential security risk (although we're already allow authentication against arbitrary realms and hosts, which might be a bigger security risk). I'll make this setting non-default asap. Furthermore I'm working on getting it running in {{camel-http4}}. 
  
> Enable preemptive basic authentication by default
> -------------------------------------------------
>
>                 Key: CAMEL-4056
>                 URL: https://issues.apache.org/jira/browse/CAMEL-4056
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-http
>    Affects Versions: 2.7.2
>            Reporter: Richard Kettelerij
>            Assignee: Richard Kettelerij
>             Fix For: 2.8.0
>
>
> Currently Camel only sends credentials when a server explicitly prompts for basic authentication. However there're cases where a URL is available to both authenticated as well as unauthenticated parties. In that case the {{camel-http}} component won't sent any credentials to the server, even though the credentials are explicitly provided in the URI or Exchange.
> This can be solved by enabling preemptive authentication in Apache HttpClient. In that case the credentials will always be provided whether the server asks for it or not. Enabling this provides a sensible default.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira