You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Roland Weber <ht...@dubioso.net> on 2007/01/06 20:56:01 UTC
[HttpConn] connection management
Hi folks,
I've started to collect my thoughts on connection management in the Wiki:
http://wiki.apache.org/jakarta-httpclient/ConnectionManagementDesign
The Wiki has the advantage that I can access it even on business trips :-)
The NIO question is wide open, but not urgent. Another question
concerns NTLM authentication. Mike, maybe you can answer that?
IIRC, NTLM authentication is connection based. After the initial
challenge-response handshake, the connection must be kept open
since only requests on that connection will be authenticated.
My question is: will _all_ requests over that connection share
the authentication, or do they still require some Authentication:
or Proxy-Authentication: header? In other words, if the connection
is given back to the connection manager and subsequently re-used,
will those requests accidentally "inherit" the NTLM authentication?
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] connection management
Posted by Michael Becke <mb...@gmail.com>.
> I'm afraid we'll have to make sure that NTLM authenticated
> connections are either not re-used at all, or only by someone
> with the appropriate credentials. And especially in the proxy
> scenario, re-use would really improve performance.
I would agree. We want to be sure that connections are not reused
inappropriately. Assuming we want to reuse them, then NTLM
credentials will have to somehow become part of the connection's
state.
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] connection management
Posted by Roland Weber <ht...@dubioso.net>.
Hi Julius,
> Whenever I've coded my own JSP/Servlet pages to accept NTLM,
> I always trade in the successful NTLM auth for a session cookie.
> [...]
> But maybe that's just me. Who knows how other servers out there do it.
Somehow, I doubt that a MS proxy server with NTLM authentication
hands out cookies :-) Authentication is typically handled by the
application server infrastructure. If you check the box somewhere
in MS IIS, then the server will require authentication before the
request ever reaches the (ASP) application. If it's an application
in the first place and not just a bunch of static pages.
I'm afraid we'll have to make sure that NTLM authenticated
connections are either not re-used at all, or only by someone
with the appropriate credentials. And especially in the proxy
scenario, re-use would really improve performance.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
RE: [HttpConn] connection management
Posted by Julius Davies <ju...@cucbc.com>.
Hi,
Whenever I've coded my own JSP/Servlet pages to accept NTLM, I always trade in the successful NTLM auth for a session cookie. In other words:
#1. Browser gave me a good NTLM auth!
#2. I give the browser a session cookie.
#3. As long as browser uses that session cookie, then I consider the browser authenticated. I don't care about NTLM any more. If a new socket comes in, as long as it provides the session cookie, I'm happy.
But maybe that's just me. Who knows how other servers out there do it.
yours,
Julius
-----Original Message-----
From: Roland Weber [mailto:http-async@dubioso.net]
Sent: Sat 1/6/2007 2:26 PM
To: HttpComponents Project
Cc:
Subject: Re: [HttpConn] connection management
Hi Robert,
> As far as I understand it, yes as long as that connection is open
> all resources transferred are considered authenticated.
Thanks!
> NTLM is problematic since it works very differently from how http is
> supposed to work. NTLM keeps state, http does not.
>
> The only way I have managed to get my proxy to handle NTLM connections
> between the real server and the real client is to switch the proxy
> to a dumb tunnel when NTLM is negotiated (otherwise another client might
> reuse the same server connection and be authenticated). For a
> proxy any accidental authentication inheriting is very bad, for a normal
> browser/tool it is probably ok.
For a browser it doesn't matter because it's acting for a single
user. I'm not sure how we handle this in HttpClient right now.
But I sure don't want that to happen accidentally in 4.0.
> I suspect that there are lots of proxies that have problems when the
> real server tries to use NTLM.
The NTLM levels we can support are better not used outside
of an intranet anyway ;-)
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] connection management
Posted by Roland Weber <ht...@dubioso.net>.
Hi Robert,
> As far as I understand it, yes as long as that connection is open
> all resources transferred are considered authenticated.
Thanks!
> NTLM is problematic since it works very differently from how http is
> supposed to work. NTLM keeps state, http does not.
>
> The only way I have managed to get my proxy to handle NTLM connections
> between the real server and the real client is to switch the proxy
> to a dumb tunnel when NTLM is negotiated (otherwise another client might
> reuse the same server connection and be authenticated). For a
> proxy any accidental authentication inheriting is very bad, for a normal
> browser/tool it is probably ok.
For a browser it doesn't matter because it's acting for a single
user. I'm not sure how we handle this in HttpClient right now.
But I sure don't want that to happen accidentally in 4.0.
> I suspect that there are lots of proxies that have problems when the
> real server tries to use NTLM.
The NTLM levels we can support are better not used outside
of an intranet anyway ;-)
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: [HttpConn] connection management
Posted by Robert Olofsson <ro...@khelekore.org>.
Roland Weber wrote:
> My question is: will _all_ requests over that connection share
> the authentication, or do they still require some Authentication:
> or Proxy-Authentication: header? In other words, if the connection
> is given back to the connection manager and subsequently re-used,
> will those requests accidentally "inherit" the NTLM authentication?
As far as I understand it, yes as long as that connection is open
all resources transferred are considered authenticated.
NTLM is problematic since it works very differently from how http is
supposed to work. NTLM keeps state, http does not.
The only way I have managed to get my proxy to handle NTLM connections
between the real server and the real client is to switch the proxy
to a dumb tunnel when NTLM is negotiated (otherwise another client might
reuse the same server connection and be authenticated). For a
proxy any accidental authentication inheriting is very bad, for a normal
browser/tool it is probably ok.
I suspect that there are lots of proxies that have problems when the
real server tries to use NTLM.
/robo
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org