You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Vjeran Marcinko <vj...@tis.hr> on 2004/11/08 05:34:53 UTC
HTTP Basic auth requests
Hi again.
Can I just ask why HttpClient, when having set HTTP Basic auth, doesn't send
Authorization header in such request at first, but tries to send one without
it and when it fails with status code 401, it sends the complete one ?
-Vjeran
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: HTTP Basic auth requests
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, Nov 08, 2004 at 10:16:43AM +0100, Vjeran Marcinko wrote:
> Oleg,
>
> Thanx for the answers. But one more question - since HttpClient is suggested
> to be used as signleton, and HttpMethod is the one that should get
> instantiated during each request, one would assume that all things tied with
> that requests should be set on that HttpMethod instance.
> But let's say that my singleton HttpClient serves for performing various
> HTTP requests, of which some require BASIC auth and some don't, but since
> user credentials are tied with HttpClient and not HttpMethod (set by
> client.getState().setCredentials...), isn't that a design issue, or it's
> just unsuitable for my case, where most of cases out there would feel fine
> with it ?
Vjeran,
You can always override the default HttpState and HostConfiguration by
using the following method leaving HttpClient in charge of connection
management only:
http://jakarta.apache.org/commons/httpclient/apidocs/org/apache/commons/httpclient/HttpClient.html#executeMethod(org.apache.commons.httpclient.HostConfiguration,
org.apache.commons.httpclient.HttpMethod,
org.apache.commons.httpclient.HttpState)
I hope this addresses your concerns
Oleg
>
> -Vjeran
>
> ----- Original Message -----
> From: "Oleg Kalnichevski" <ol...@apache.org>
> To: <ht...@jakarta.apache.org>
> Sent: Monday, November 08, 2004 9:56 AM
> Subject: Re: HTTP Basic auth requests
>
>
> > Vjeran
> >
> > Usually one needs to know the authentication realm of the resource one
> > is trying to access. It is possible to force the preemptive
> > authentication using BASIC scheme. This approach has significant
> > security risks as (1) one may end up sending credentials to an untrusted
> site
> > by mistake, and (2) BASIC authentication is inherently insecure.
> >
> > This said, if you are reasonably sure that you can mitigate the security
> > risks and absolutely have to save that first server roundtrip, the
> > preemptive authentication is the way to go. For further details see the
> > HttpClient authentication guide:
> >
> > http://jakarta.apache.org/commons/httpclient/3.0/authentication.html
> >
> > Cheers,
> >
> > Oleg
> >
> > On Mon, Nov 08, 2004 at 05:34:53AM +0100, Vjeran Marcinko wrote:
> > > Hi again.
> > >
> > > Can I just ask why HttpClient, when having set HTTP Basic auth, doesn't
> send
> > > Authorization header in such request at first, but tries to send one
> without
> > > it and when it fails with status code 401, it sends the complete one ?
> > >
> > > -Vjeran
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: HTTP Basic auth requests
Posted by Vjeran Marcinko <vj...@tis.hr>.
Oleg,
Thanx for the answers. But one more question - since HttpClient is suggested
to be used as signleton, and HttpMethod is the one that should get
instantiated during each request, one would assume that all things tied with
that requests should be set on that HttpMethod instance.
But let's say that my singleton HttpClient serves for performing various
HTTP requests, of which some require BASIC auth and some don't, but since
user credentials are tied with HttpClient and not HttpMethod (set by
client.getState().setCredentials...), isn't that a design issue, or it's
just unsuitable for my case, where most of cases out there would feel fine
with it ?
-Vjeran
----- Original Message -----
From: "Oleg Kalnichevski" <ol...@apache.org>
To: <ht...@jakarta.apache.org>
Sent: Monday, November 08, 2004 9:56 AM
Subject: Re: HTTP Basic auth requests
> Vjeran
>
> Usually one needs to know the authentication realm of the resource one
> is trying to access. It is possible to force the preemptive
> authentication using BASIC scheme. This approach has significant
> security risks as (1) one may end up sending credentials to an untrusted
site
> by mistake, and (2) BASIC authentication is inherently insecure.
>
> This said, if you are reasonably sure that you can mitigate the security
> risks and absolutely have to save that first server roundtrip, the
> preemptive authentication is the way to go. For further details see the
> HttpClient authentication guide:
>
> http://jakarta.apache.org/commons/httpclient/3.0/authentication.html
>
> Cheers,
>
> Oleg
>
> On Mon, Nov 08, 2004 at 05:34:53AM +0100, Vjeran Marcinko wrote:
> > Hi again.
> >
> > Can I just ask why HttpClient, when having set HTTP Basic auth, doesn't
send
> > Authorization header in such request at first, but tries to send one
without
> > it and when it fails with status code 401, it sends the complete one ?
> >
> > -Vjeran
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: HTTP Basic auth requests
Posted by Oleg Kalnichevski <ol...@apache.org>.
Vjeran
Usually one needs to know the authentication realm of the resource one
is trying to access. It is possible to force the preemptive
authentication using BASIC scheme. This approach has significant
security risks as (1) one may end up sending credentials to an untrusted site
by mistake, and (2) BASIC authentication is inherently insecure.
This said, if you are reasonably sure that you can mitigate the security
risks and absolutely have to save that first server roundtrip, the
preemptive authentication is the way to go. For further details see the
HttpClient authentication guide:
http://jakarta.apache.org/commons/httpclient/3.0/authentication.html
Cheers,
Oleg
On Mon, Nov 08, 2004 at 05:34:53AM +0100, Vjeran Marcinko wrote:
> Hi again.
>
> Can I just ask why HttpClient, when having set HTTP Basic auth, doesn't send
> Authorization header in such request at first, but tries to send one without
> it and when it fails with status code 401, it sends the complete one ?
>
> -Vjeran
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org