You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by bu...@apache.org on 2002/12/12 01:13:38 UTC
DO NOT REPLY [Bug 15297] New: -
[HttpClient] Authenticator() - ability to perform alternate authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15297>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15297
[HttpClient] Authenticator() - ability to perform alternate authentication
Summary: [HttpClient] Authenticator() - ability to perform
alternate authentication
Product: Commons
Version: Nightly Builds
Platform: Other
OS/Version: Other
Status: NEW
Severity: Enhancement
Priority: Other
Component: HttpClient
AssignedTo: commons-dev@jakarta.apache.org
ReportedBy: vgustafson@proxicom.com
My post to the user group. The developer replied suggesting I enter an
enhancement request.
-----Original Message-----
From: Gustafson, Vicki [mailto:vicki.gustafson@us.didata.com]
Sent: Thursday, 12 December 2002 5:03 AM
To: Jakarta Commons Users List
Subject: [HttpClient] Authentication using Basic
Is there a way to specify which authentication scheme you would like the client
to use if several schemes are returned in the www-auth header?
I'm performing a simple post using the httpClient. The server returns a 401 at
which point the httpClient tries to authenticate with the server. The
following header is received:
Attempting to parse authenticate header: 'WWW-Authenticate: Negotiate, NTLM,
Basic realm="XXXwhateverXXX"
I need to authenticate using Basic, but the Authenticator class will only try
the most secure scheme: NTLM. Is there a setting or parameter I can set to
force the httpClient to use Basic?
thanks,
Vicki
// determine the most secure request header to add
Header requestHeader = null;
if (challengeMap.containsKey("ntlm")) {
String challenge = (String) challengeMap.get("ntlm");
requestHeader = Authenticator.ntlm(challenge, method, state,
responseHeader);
} else if (challengeMap.containsKey("digest")) {
String challenge = (String) challengeMap.get("digest");
String realm = parseRealmFromChallenge(challenge);
requestHeader = Authenticator.digest(realm, method, state,
responseHeader);
} else if (challengeMap.containsKey("basic")) {
String challenge = (String) challengeMap.get("basic");
String realm = parseRealmFromChallenge(challenge);
requestHeader = Authenticator.basic(realm, state, responseHeader);
} else if (challengeMap.size() == 0) {
throw new HttpException("No authentication scheme found in '"
+ authenticateHeader + "'");
} else {
throw new UnsupportedOperationException(
"Requested authentication scheme " + challengeMap.keySet()
+ " is unsupported");
}
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
**********developer response**********************************
Currently there isn't, however we probably should be more intelligent about
falling back to other authentication schemes based on the type of credentials
provided. Having said this I'm not sure it conforms to the HTTP spec strictly
(which states that the client must use the strongest authentication scheme it
supports, there's a grey area here because if your application doesn't provide
a dialog or similar for the user to enter NTLM credentials it can only support
basic or digest authentication, despite HTTPClient supporting NTLM).
What I'd like to see happen is:
When NTLM authentication is requested as top priority but only
UsernamePasswordCredentials are available instead of NTLMCredentials we fall
back to one of the other schemes. In general this would mean that:
if an authentication scheme is requested and a credentials object of the wrong
type is provided, HTTPClient should assume (probably optionally or only in non-
strict mode) that the requested authentication scheme is not supported and fall
through to other options.
Achieving this would require a reasonably amount of refactoring of the
Authenticator class but shouldn't be impossible. Unfortunately I don't have
time to do it myself at the moment but I'd be happy to help out if you felt
like doing it, otherwise logging an enhancement bug in Bugzilla would be a good
way to record this request until someone has time to actually implement it.
Adrian Sutton, Software Engineer
Ephox Corporation
www.ephox.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>