You are viewing a plain text version of this content. The canonical link for it is here.
Posted to slide-user@jakarta.apache.org by Matthew Beermann <ma...@nanonation.net> on 2004/08/11 22:00:11 UTC
Client & NTLM Authentication
I'm trying to figure out how to use NTLM authentication with the Slide client. It seemed straightforward enough at first: use retrieveSessionInstance() to get at the underlying HttpClient, then tell it to use NTLM credentials.
But I've run into a chicken-and-egg problem: you must supply WebdavResource with some sort of URI in order to construct it, and for me that URI will fail (throw a 401 exception) until the correct credentials have been supplied. But, there's no way to get to the underlying HttpClient and set the credentials until after the object has been successfully constructed! How do I get around this?
--Matthew Beermann
Re: Client & NTLM Authentication
Posted by James Mason <ma...@apache.org>.
If you make a class that extends WebdavResource you'll have access to
the protected constructor that takes an HttpClient. I'm not sure why
that isn't public, so maybe that's a change that could be made.
-James
Matthew Beermann wrote:
> I'm trying to figure out how to use NTLM authentication with the Slide client. It seemed straightforward enough at first: use retrieveSessionInstance() to get at the underlying HttpClient, then tell it to use NTLM credentials.
>
> But I've run into a chicken-and-egg problem: you must supply WebdavResource with some sort of URI in order to construct it, and for me that URI will fail (throw a 401 exception) until the correct credentials have been supplied. But, there's no way to get to the underlying HttpClient and set the credentials until after the object has been successfully constructed! How do I get around this?
>
> --Matthew Beermann
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Client & NTLM Authentication
Posted by Matthew Beermann <ma...@nanonation.net>.
Well, it kinda works. I've noticed at least two problems:
1. In WebdavSession, there's code that says:
if (hostCredentials != null) {
HttpState clientState = client.getState();
clientState.setCredentials(null, httpURL.getHost(),
hostCredentials);
clientState.setAuthenticationPreemptive(true);
}
If I understand the discussion at
http://jakarta.apache.org/commons/httpclient/authentication.html, this is
very wrong. Just because I've supplied credentials does NOT necessarily mean
I want to authenticate preemptively, particularly since that only sends the
Basic: scheme preemptively. For NTLM, I don't want to bother with Basic at
all. Furthermore, it makes it impossible to turn it off, since you aren't
respecting the system settings in HttpState:
wdr.retrieveSessionInstance().getState().setAuthenticationPreemptive(false);
System.out.println(wdr.retrieveSessionInstance().getState().isAuthenticationPreemptive());
==> "true"
2. I've had to avoid using WebdavResource.putMethod(), because it does not
expose PutMethod.setUseExpectHeader(). From the documentation:
Activates 'Expect: 100-Continue' handshake. The purpose of the 'Expect:
100-Continue' handshake to allow a client that is sending a request message
with a request body to determine if the origin server is willing to accept
the request (based on the request headers) before the client sends the
request body.
The use of the 'Expect: 100-continue' handshake can result in noticable
peformance improvement for entity enclosing requests (such as POST and PUT)
that require the target server's authentication.
'Expect: 100-continue' handshake should be used with caution, as it may
cause problems with HTTP servers and proxies that do not support HTTP/1.1
protocol.
...but beyond the performance win, when using with IIS on Microsoft Server
>= 2000 the expect-continue handshake is AFAICT mandatory. Otherwise, the
server throws a 500 error. It would be really, really nice if this option
were either exposed or simply turned on by default for
WebdavResource.putMethod; with appropriate support sniffing, of course.
--Matthew Beermann
----- Original Message -----
From: "Ingo Brunberg" <ib...@fiz-chemie.de>
To: <sl...@jakarta.apache.org>
Sent: Thursday, August 12, 2004 2:19 AM
Subject: Re: Client & NTLM Authentication
> In WebdavResource there are constructors where you can supply your
> credentials, for example:
> public WebdavResource(String escapedHttpURL, Credentials credentials)
>
> And I have got at least one report that it works.
>
> Ingo
>
>> I'm trying to figure out how to use NTLM authentication with the Slide =
>> client. It seemed straightforward enough at first: use =
>> retrieveSessionInstance() to get at the underlying HttpClient, then tell
>> =
>> it to use NTLM credentials.
>>
>> But I've run into a chicken-and-egg problem: you must supply =
>> WebdavResource with some sort of URI in order to construct it, and for =
>> me that URI will fail (throw a 401 exception) until the correct =
>> credentials have been supplied. But, there's no way to get to the =
>> underlying HttpClient and set the credentials until after the object has
>> =
>> been successfully constructed! How do I get around this?
>>
>> --Matthew Beermann
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org
Re: Client & NTLM Authentication
Posted by Ingo Brunberg <ib...@fiz-chemie.de>.
In WebdavResource there are constructors where you can supply your
credentials, for example:
public WebdavResource(String escapedHttpURL, Credentials credentials)
And I have got at least one report that it works.
Ingo
> I'm trying to figure out how to use NTLM authentication with the Slide =
> client. It seemed straightforward enough at first: use =
> retrieveSessionInstance() to get at the underlying HttpClient, then tell =
> it to use NTLM credentials.
>
> But I've run into a chicken-and-egg problem: you must supply =
> WebdavResource with some sort of URI in order to construct it, and for =
> me that URI will fail (throw a 401 exception) until the correct =
> credentials have been supplied. But, there's no way to get to the =
> underlying HttpClient and set the credentials until after the object has =
> been successfully constructed! How do I get around this?
>
> --Matthew Beermann
---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org