You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Michael Becke <be...@u.washington.edu> on 2004/06/09 14:23:25 UTC
Re: DO NOT REPLY [Bug 29439] - Credentials ignored if realm specified in preemptive authentication
Ooops. I forgot to update the site last night. I'm doing so now.
Mike
On Jun 9, 2004, at 6:00 AM, bugzilla@apache.org wrote:
> DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
> RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
> <http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>.
> ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
> INSERTED IN THE BUG DATABASE.
>
> http://issues.apache.org/bugzilla/show_bug.cgi?id=29439
>
> Credentials ignored if realm specified in preemptive authentication
>
> olegk@apache.org changed:
>
> What |Removed |Added
> -----------------------------------------------------------------------
> -----
> Severity|Normal |Enhancement
> Status|NEW |ASSIGNED
> Target Milestone|--- |3.0 Alpha 2
>
>
>
> ------- Additional Comments From olegk@apache.org 2004-06-09 09:59
> -------
> Philippe,
> Just recently we have had a quite few complaints regarding the way
> preemptive
> authentication is handled. The official HttpClient authentication
> guide has been
> revised to clarify the gray areas in the 2.0 API primarily concerning
> the
> prerequisites expected in order to make preemptive authentication
> functional.
> Rather unfortunately the site has not been redeployed yet, so the
> updated
> authentication guide is not available at the moment. You can see the
> xdoc source
> at the following location
>
> http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/xdocs/
> authentication.xml?
> rev=1.5.2.4&only_with_tag=HTTPCLIENT_2_0_BRANCH&view=markup
>
>> But I don't personally think it is defensive enough since it disable
>> preemptive auth and it could result in large performance degradation
>> since you have to repeat (multi-megabytes?) POST requests two times
>> to get through.
>
> Preemptive authentication is not the best answer to this problem. The
> problem
> can be much better addressed by using so called 'expect-continue'
> handshake. See
> ExpectContinueMethod method's javadoc for details.
>
> The entire authentication framework in HttpClient has been completely
> rewritten
> for the 3.0 release. With HttpClient 3.0 one should already get a
> warning in
> case of missing authentication credentials. Furthermore, it also
> provides a
> better API for credentials assignment and retrieval. I will also try
> to come up
> with a better way to assign default credentials. So, stay tuned
>
> Oleg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org