You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Michael Becke <be...@u.washington.edu> on 2004/06/09 14:23:25 UTC

Re: DO NOT REPLY [Bug 29439] - Credentials ignored if realm specified in preemptive authentication

Ooops.  I forgot to update the site last night.  I'm doing so now.

Mike

On Jun 9, 2004, at 6:00 AM, bugzilla@apache.org wrote:

> DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
> RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
> <http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>.
> ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
> INSERTED IN THE BUG DATABASE.
>
> http://issues.apache.org/bugzilla/show_bug.cgi?id=29439
>
> Credentials ignored if realm specified in preemptive authentication
>
> olegk@apache.org changed:
>
>            What    |Removed                     |Added
> ----------------------------------------------------------------------- 
> -----
>            Severity|Normal                      |Enhancement
>              Status|NEW                         |ASSIGNED
>    Target Milestone|---                         |3.0 Alpha 2
>
>
>
> ------- Additional Comments From olegk@apache.org  2004-06-09 09:59  
> -------
> Philippe,
> Just recently we have had a quite few complaints regarding the way  
> preemptive
> authentication is handled. The official HttpClient authentication  
> guide has been
> revised to clarify the gray areas in the 2.0 API primarily concerning  
> the
> prerequisites expected in order to make preemptive authentication  
> functional.
> Rather unfortunately the site has not been redeployed yet, so the  
> updated
> authentication guide is not available at the moment. You can see the  
> xdoc source
>  at the following location
>
> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/xdocs/ 
> authentication.xml? 
> rev=1.5.2.4&only_with_tag=HTTPCLIENT_2_0_BRANCH&view=markup
>
>> But I don't personally think it is defensive enough since it disable
>> preemptive auth and it could result in large performance degradation
>> since you have to repeat (multi-megabytes?) POST requests two times
>> to get through.
>
> Preemptive authentication is not the best answer to this problem. The  
> problem
> can be much better addressed by using so called 'expect-continue'  
> handshake. See
> ExpectContinueMethod method's javadoc for details.
>
> The entire authentication framework in HttpClient has been completely  
> rewritten
> for the 3.0 release. With HttpClient 3.0 one should already get a  
> warning in
> case of missing authentication credentials. Furthermore, it also  
> provides a
> better API for credentials assignment and retrieval. I will also try  
> to come up
> with a better way to assign default credentials. So, stay tuned
>
> Oleg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:  
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:  
> commons-httpclient-dev-help@jakarta.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org