You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Adrian Sutton <ad...@intencha.com> on 2003/05/09 03:55:09 UTC
Authentication Realm
Well, it's my turn to start updating our product to the latest
HttpClient and while it's generally going well I've run into my first
problem - hopefully I'm just missing something really simple.
I'm trying to retrieve the realm for authentication using the simple
method for doing so we were meant to add a little while back, but I
can't find that simple method... Currently, I'm trying to use
HttpAuthenticator.selectAuthScheme() to get the scheme then call
getRealm() on that followed by a special case of it being null (for
NTLM) where we use the host name. There's two problems with this:
1. It's more difficult than just parsing the auth challenge myself.
2. selectAuthScheme() parses every header that's passed to it so we
need to do what HttpMethodBase does ie:
HttpAuthenticator.selectAuthScheme(getResponseHeaderGroup().getHeaders(H
ttpAuthenticator.WWW_AUTH)));
The problem is that getResponseHeaderGroup() is protected so I'd have
to manually weed out the authentication headers. What I'd really like
is a simple method in HttpMethod like:
public String getAuthenticationRealm();
and
public String getProxyAuthenticationRealm();
I'd also be happy if it were in HttpAuthenticator and accepted either
the full array of headers or the actual HttpMethod. Finding out what
authentication method will be used should be similar (possibly getting
NTLMScheme to return something other than null for getRealm and
changing HttpAuthenticator.selectAuthScheme to take the full array of
headers would be the best option).
I can produce the patches for doing this and have no particular
preference on whether it goes into 2.0 or 2.1 (we have to maintain our
own fork anyway because you can't use JCE from an applet and we need
NTLM).
Hopefully though, I just missed a really obvious method and I'll slap
myself and move on. :)
Regards,
Adrian Sutton.
Re: [PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
Patch applied
Oleg
On Mon, 2003-05-12 at 20:53, Michael Becke wrote:
> Fine with me.
>
> Mike
>
> Oleg Kalnichevski wrote:
> > Here it is
> >
> > Oleg
> >
> > On Mon, 2003-05-12 at 20:37, Michael Becke wrote:
> >
> >>I can't seem to locate the patch. Could you send it again?
> >>
> >>Mike
> >>
> >>Oleg Kalnichevski wrote:
> >>
> >>>Are there any objections to committing this patch?
> >>>
> >>>Oleg
> >>>
> >>>On Sat, 2003-05-10 at 23:31, Adrian Sutton wrote:
> >>>
> >>>
> >>>>Oleg,
> >>>>I wouldn't call that a compromise - I'd call that the ideal solution!
> >>>>:) We'd still need to grab the authentication header to check if NTLM
> >>>>authentication is being used (so we know whether to ask for a domain or
> >>>>not) but that's no hassle since it's just a simple check for the
> >>>>presence of "ntlm" in the auth challenge.
> >>>>
> >>>>Thanks for looking into it.
> >>>>
> >>>>Regards,
> >>>>
> >>>>Adrian.
> >>>>
> >>>>On Sunday, May 11, 2003, at 12:29 AM, Oleg Kalnichevski wrote:
> >>>>
> >>>>
> >>>>
> >>>>>Adrian,
> >>>>>In the future get*HeaderGroup will be made public. I would not change
> >>>>>HttpAuthenticator.selectAuthScheme() just to work around limitations of
> >>>>>the existing API. So, how about this for a compromise solution?
> >>>>>
> >>>>>Cheers
> >>>>>
> >>>>>Oleg
> >>>>>
> >>>>
> >>>>
> >>>>---------------------------------------------------------------------
> >>>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>>>
> >>>
> >>>
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>Index: java/org/apache/commons/httpclient/HttpMethodBase.java
> >>===================================================================
> >>RCS file: /home/cvspublic/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/HttpMethodBase.java,v
> >>retrieving revision 1.145
> >>diff -u -r1.145 HttpMethodBase.java
> >>--- java/org/apache/commons/httpclient/HttpMethodBase.java 8 May 2003 17:33:51 -0000 1.145
> >>+++ java/org/apache/commons/httpclient/HttpMethodBase.java 12 May 2003 18:45:02 -0000
> >>@@ -174,9 +174,15 @@
> >> /** Realms that we tried to authenticate to */
> >> private Set realms = null;
> >>
> >>+ /** Actual authentication realm */
> >>+ private String realm = null;
> >>+
> >> /** Proxy Realms that we tried to authenticate to */
> >> private Set proxyRealms = null;
> >>
> >>+ /** Actual proxy authentication realm */
> >>+ private String proxyRealm = null;
> >>+
> >> /** My request path. */
> >> private String path = null;
> >>
> >>@@ -195,7 +201,7 @@
> >> /** Whether or not I should automatically follow redirects. */
> >> private boolean followRedirects = false;
> >>
> >>- /** Whether or not I should automatically processs authentication. */
> >>+ /** Whether or not I should automatically process authentication. */
> >> private boolean doAuthentication = true;
> >>
> >> /** Whether or not I should use the HTTP/1.1 protocol. */
> >>@@ -1263,6 +1269,8 @@
> >> path = null;
> >> followRedirects = false;
> >> doAuthentication = true;
> >>+ realm = null;
> >>+ proxyRealm = null;
> >> queryString = null;
> >> getRequestHeaderGroup().clear();
> >> getResponseHeaderGroup().clear();
> >>@@ -2420,11 +2428,13 @@
> >> removeRequestHeader(HttpAuthenticator.WWW_AUTH_RESP);
> >> authenticated = HttpAuthenticator.authenticate(
> >> authscheme, this, conn, state);
> >>+ this.realm = authscheme.getRealm();
> >> break;
> >> case HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED:
> >> removeRequestHeader(HttpAuthenticator.PROXY_AUTH_RESP);
> >> authenticated = HttpAuthenticator.authenticateProxy(
> >> authscheme, this, conn, state);
> >>+ this.proxyRealm = authscheme.getRealm();
> >> break;
> >> }
> >> } catch (AuthenticationException e) {
> >>@@ -2448,6 +2458,26 @@
> >> }
> >>
> >> /**
> >>+ * Returns proxy authentication realm, if it has been used during authentication process.
> >>+ * Otherwise returns <tt>null</tt>.
> >>+ *
> >>+ * @return proxy authentication realm
> >>+ */
> >>+ public String getProxyAuthenticationRealm() {
> >>+ return this.proxyRealm;
> >>+ }
> >>+
> >>+ /**
> >>+ * Returns authentication realm, if it has been used during authentication process.
> >>+ * Otherwise returns <tt>null</tt>.
> >>+ *
> >>+ * @return authentication realm
> >>+ */
> >>+ public String getAuthenticationRealm() {
> >>+ return this.realm;
> >>+ }
> >>+
> >>+ /**
> >> * Write a request and read the response. Both the write to the server will
> >> * be retried {@link #maxRetries} times if the operation fails with a
> >> * HttpRecoverableException. The write will only be attempted if the read
> >>@@ -2677,5 +2707,4 @@
> >> this.responseBody = null;
> >> this.responseStream = responseStream;
> >> }
> >>-
> >> }
> >>
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
Re: [PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Michael Becke <be...@u.washington.edu>.
Fine with me.
Mike
Oleg Kalnichevski wrote:
> Here it is
>
> Oleg
>
> On Mon, 2003-05-12 at 20:37, Michael Becke wrote:
>
>>I can't seem to locate the patch. Could you send it again?
>>
>>Mike
>>
>>Oleg Kalnichevski wrote:
>>
>>>Are there any objections to committing this patch?
>>>
>>>Oleg
>>>
>>>On Sat, 2003-05-10 at 23:31, Adrian Sutton wrote:
>>>
>>>
>>>>Oleg,
>>>>I wouldn't call that a compromise - I'd call that the ideal solution!
>>>>:) We'd still need to grab the authentication header to check if NTLM
>>>>authentication is being used (so we know whether to ask for a domain or
>>>>not) but that's no hassle since it's just a simple check for the
>>>>presence of "ntlm" in the auth challenge.
>>>>
>>>>Thanks for looking into it.
>>>>
>>>>Regards,
>>>>
>>>>Adrian.
>>>>
>>>>On Sunday, May 11, 2003, at 12:29 AM, Oleg Kalnichevski wrote:
>>>>
>>>>
>>>>
>>>>>Adrian,
>>>>>In the future get*HeaderGroup will be made public. I would not change
>>>>>HttpAuthenticator.selectAuthScheme() just to work around limitations of
>>>>>the existing API. So, how about this for a compromise solution?
>>>>>
>>>>>Cheers
>>>>>
>>>>>Oleg
>>>>>
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>Index: java/org/apache/commons/httpclient/HttpMethodBase.java
>>===================================================================
>>RCS file: /home/cvspublic/jakarta-commons/httpclient/src/java/org/apache/commons/httpclient/HttpMethodBase.java,v
>>retrieving revision 1.145
>>diff -u -r1.145 HttpMethodBase.java
>>--- java/org/apache/commons/httpclient/HttpMethodBase.java 8 May 2003 17:33:51 -0000 1.145
>>+++ java/org/apache/commons/httpclient/HttpMethodBase.java 12 May 2003 18:45:02 -0000
>>@@ -174,9 +174,15 @@
>> /** Realms that we tried to authenticate to */
>> private Set realms = null;
>>
>>+ /** Actual authentication realm */
>>+ private String realm = null;
>>+
>> /** Proxy Realms that we tried to authenticate to */
>> private Set proxyRealms = null;
>>
>>+ /** Actual proxy authentication realm */
>>+ private String proxyRealm = null;
>>+
>> /** My request path. */
>> private String path = null;
>>
>>@@ -195,7 +201,7 @@
>> /** Whether or not I should automatically follow redirects. */
>> private boolean followRedirects = false;
>>
>>- /** Whether or not I should automatically processs authentication. */
>>+ /** Whether or not I should automatically process authentication. */
>> private boolean doAuthentication = true;
>>
>> /** Whether or not I should use the HTTP/1.1 protocol. */
>>@@ -1263,6 +1269,8 @@
>> path = null;
>> followRedirects = false;
>> doAuthentication = true;
>>+ realm = null;
>>+ proxyRealm = null;
>> queryString = null;
>> getRequestHeaderGroup().clear();
>> getResponseHeaderGroup().clear();
>>@@ -2420,11 +2428,13 @@
>> removeRequestHeader(HttpAuthenticator.WWW_AUTH_RESP);
>> authenticated = HttpAuthenticator.authenticate(
>> authscheme, this, conn, state);
>>+ this.realm = authscheme.getRealm();
>> break;
>> case HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED:
>> removeRequestHeader(HttpAuthenticator.PROXY_AUTH_RESP);
>> authenticated = HttpAuthenticator.authenticateProxy(
>> authscheme, this, conn, state);
>>+ this.proxyRealm = authscheme.getRealm();
>> break;
>> }
>> } catch (AuthenticationException e) {
>>@@ -2448,6 +2458,26 @@
>> }
>>
>> /**
>>+ * Returns proxy authentication realm, if it has been used during authentication process.
>>+ * Otherwise returns <tt>null</tt>.
>>+ *
>>+ * @return proxy authentication realm
>>+ */
>>+ public String getProxyAuthenticationRealm() {
>>+ return this.proxyRealm;
>>+ }
>>+
>>+ /**
>>+ * Returns authentication realm, if it has been used during authentication process.
>>+ * Otherwise returns <tt>null</tt>.
>>+ *
>>+ * @return authentication realm
>>+ */
>>+ public String getAuthenticationRealm() {
>>+ return this.realm;
>>+ }
>>+
>>+ /**
>> * Write a request and read the response. Both the write to the server will
>> * be retried {@link #maxRetries} times if the operation fails with a
>> * HttpRecoverableException. The write will only be attempted if the read
>>@@ -2677,5 +2707,4 @@
>> this.responseBody = null;
>> this.responseStream = responseStream;
>> }
>>-
>> }
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
[PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
Here it is
Oleg
On Mon, 2003-05-12 at 20:37, Michael Becke wrote:
> I can't seem to locate the patch. Could you send it again?
>
> Mike
>
> Oleg Kalnichevski wrote:
> > Are there any objections to committing this patch?
> >
> > Oleg
> >
> > On Sat, 2003-05-10 at 23:31, Adrian Sutton wrote:
> >
> >>Oleg,
> >>I wouldn't call that a compromise - I'd call that the ideal solution!
> >>:) We'd still need to grab the authentication header to check if NTLM
> >>authentication is being used (so we know whether to ask for a domain or
> >>not) but that's no hassle since it's just a simple check for the
> >>presence of "ntlm" in the auth challenge.
> >>
> >>Thanks for looking into it.
> >>
> >>Regards,
> >>
> >>Adrian.
> >>
> >>On Sunday, May 11, 2003, at 12:29 AM, Oleg Kalnichevski wrote:
> >>
> >>
> >>>Adrian,
> >>>In the future get*HeaderGroup will be made public. I would not change
> >>>HttpAuthenticator.selectAuthScheme() just to work around limitations of
> >>>the existing API. So, how about this for a compromise solution?
> >>>
> >>>Cheers
> >>>
> >>>Oleg
> >>>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
Re: [PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Michael Becke <be...@u.washington.edu>.
I can't seem to locate the patch. Could you send it again?
Mike
Oleg Kalnichevski wrote:
> Are there any objections to committing this patch?
>
> Oleg
>
> On Sat, 2003-05-10 at 23:31, Adrian Sutton wrote:
>
>>Oleg,
>>I wouldn't call that a compromise - I'd call that the ideal solution!
>>:) We'd still need to grab the authentication header to check if NTLM
>>authentication is being used (so we know whether to ask for a domain or
>>not) but that's no hassle since it's just a simple check for the
>>presence of "ntlm" in the auth challenge.
>>
>>Thanks for looking into it.
>>
>>Regards,
>>
>>Adrian.
>>
>>On Sunday, May 11, 2003, at 12:29 AM, Oleg Kalnichevski wrote:
>>
>>
>>>Adrian,
>>>In the future get*HeaderGroup will be made public. I would not change
>>>HttpAuthenticator.selectAuthScheme() just to work around limitations of
>>>the existing API. So, how about this for a compromise solution?
>>>
>>>Cheers
>>>
>>>Oleg
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
Re: [PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
Are there any objections to committing this patch?
Oleg
On Sat, 2003-05-10 at 23:31, Adrian Sutton wrote:
> Oleg,
> I wouldn't call that a compromise - I'd call that the ideal solution!
> :) We'd still need to grab the authentication header to check if NTLM
> authentication is being used (so we know whether to ask for a domain or
> not) but that's no hassle since it's just a simple check for the
> presence of "ntlm" in the auth challenge.
>
> Thanks for looking into it.
>
> Regards,
>
> Adrian.
>
> On Sunday, May 11, 2003, at 12:29 AM, Oleg Kalnichevski wrote:
>
> > Adrian,
> > In the future get*HeaderGroup will be made public. I would not change
> > HttpAuthenticator.selectAuthScheme() just to work around limitations of
> > the existing API. So, how about this for a compromise solution?
> >
> > Cheers
> >
> > Oleg
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
Re: [PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Adrian Sutton <ad...@intencha.com>.
Oleg,
I wouldn't call that a compromise - I'd call that the ideal solution!
:) We'd still need to grab the authentication header to check if NTLM
authentication is being used (so we know whether to ask for a domain or
not) but that's no hassle since it's just a simple check for the
presence of "ntlm" in the auth challenge.
Thanks for looking into it.
Regards,
Adrian.
On Sunday, May 11, 2003, at 12:29 AM, Oleg Kalnichevski wrote:
> Adrian,
> In the future get*HeaderGroup will be made public. I would not change
> HttpAuthenticator.selectAuthScheme() just to work around limitations of
> the existing API. So, how about this for a compromise solution?
>
> Cheers
>
> Oleg
>
[PATCH] Authentication Realm & Proxy Authentication Realm
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
Adrian,
In the future get*HeaderGroup will be made public. I would not change
HttpAuthenticator.selectAuthScheme() just to work around limitations of
the existing API. So, how about this for a compromise solution?
Cheers
Oleg
On Fri, 2003-05-09 at 03:55, Adrian Sutton wrote:
> Well, it's my turn to start updating our product to the latest
> HttpClient and while it's generally going well I've run into my first
> problem - hopefully I'm just missing something really simple.
>
> I'm trying to retrieve the realm for authentication using the simple
> method for doing so we were meant to add a little while back, but I
> can't find that simple method... Currently, I'm trying to use
> HttpAuthenticator.selectAuthScheme() to get the scheme then call
> getRealm() on that followed by a special case of it being null (for
> NTLM) where we use the host name. There's two problems with this:
>
> 1. It's more difficult than just parsing the auth challenge myself.
> 2. selectAuthScheme() parses every header that's passed to it so we
> need to do what HttpMethodBase does ie:
> HttpAuthenticator.selectAuthScheme(getResponseHeaderGroup().getHeaders(H
> ttpAuthenticator.WWW_AUTH)));
>
> The problem is that getResponseHeaderGroup() is protected so I'd have
> to manually weed out the authentication headers. What I'd really like
> is a simple method in HttpMethod like:
>
> public String getAuthenticationRealm();
>
> and
>
> public String getProxyAuthenticationRealm();
>
> I'd also be happy if it were in HttpAuthenticator and accepted either
> the full array of headers or the actual HttpMethod. Finding out what
> authentication method will be used should be similar (possibly getting
> NTLMScheme to return something other than null for getRealm and
> changing HttpAuthenticator.selectAuthScheme to take the full array of
> headers would be the best option).
>
> I can produce the patches for doing this and have no particular
> preference on whether it goes into 2.0 or 2.1 (we have to maintain our
> own fork anyway because you can't use JCE from an applet and we need
> NTLM).
>
> Hopefully though, I just missed a really obvious method and I'll slap
> myself and move on. :)
>
> Regards,
>
> Adrian Sutton.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
Some Good News
Posted by Adrian Sutton <ad...@intencha.com>.
Hi all,
I've just finished porting our application over to using the latest
HttpClient. We had previously been using a build from back in the
HttpMultiClient days and it actually went very smoothly. The speed
improvement is quite noticable though I'm not entirely sure what speed
improvements have gone in and most importantly the changes to the API
weren't that difficult to accomodate. I have one patch that I've
finally merged forward to the latest version which provides a callback
interface for adjusting HostConfigurations which makes supporting proxy
configuration scripts possible. I'll clean that up and attach it to a
bug report ready for 2.1.
Anyway, to all involved congratulations on such a wonderful effort in
both improving the reliability and feature set of HttpClient as well as
maintaining a reasonable amount of backwards compatibility!
Regards,
Adrian Sutton.