You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Oleg Kalnichevski <ol...@apache.org> on 2008/09/16 23:45:13 UTC
Re: Potential account lockouts when using authentication
using concurrent http requests
On Tue, 2008-09-16 at 14:24 -0700, Henrich Kraemer wrote:
> Hi Oleg,
>
> I assume with credentials store you talks about the abstraction provided by
> the CredentialsProvider interface which allows to set or get a credential
> as well as to clear them.
Correct.
> I believe you are saying in HttpClient 4 managing the credential store is
> entirely the responsibility of the application.
> Therefore the get/clear methods would not be strictly needed, right?
>
The getter is used by HttpClient internally to obtain credentials for a
particular scope. #clear() method is not strictly needed
> See also my follow up questions below.
>
> Thanks much,
>
> Henrich
>
>
> > When using HttpClient 4.0 one is advised to do the following:
> >
> > * populate the credentials store with the default credentials if
> > available
> > * execute the request
> > * if the request fails with status code 401 or 407, prompt the user for
> > new credentials
> > * update the credentials store according to the user input
> > * retry
>
> I looked at the ClientInteractiveAuthentication example. Here are some
> excerpts
> boolean trying = true;
> while (trying) {
> ..
> HttpResponse response = httpclient.execute(httpget,
> localContext);
> ..
> HttpEntity entity = response.getEntity();
> if (entity != null) {
> entity.consumeContent();
> }
>
> int sc = response.getStatusLine().getStatusCode();
>
> AuthState authState = null;
> if (sc == HttpStatus.SC_UNAUTHORIZED) {
> // Target host authentication required
> authState = (AuthState) localContext.getAttribute
> (ClientContext.TARGET_AUTH_STATE);
> }
> if (sc == HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED) {
> // Proxy authentication required
> authState = (AuthState) localContext.getAttribute
> (ClientContext.PROXY_AUTH_STATE);
> }
>
> if (authState != null) {
> ..
> AuthScope authScope = authState.getAuthScope();
> ..
> System.out.print("Enter username: ");
> String user = console.readLine();
> System.out.print("Enter password: ");
> String password = console.readLine();
>
> if (user != null && user.length() > 0) {
> Credentials creds = new UsernamePasswordCredentials
> (user, password);
> httpclient.getCredentialsProvider().setCredentials
> (authScope, creds);
> trying = true;
> } else {
> trying = false;
> }
> } else {
> trying = false;
> }
> }
>
> I would think that some state needs to be carried over when forming the
> response (for digest scheme)
> Is this done via the HttpContext (localContext) which is passed into each
> execute() call?
>
Yes, it is. You may want to take a look at
ClientPreemptiveDigestAuthentication for an example of how local context
can be used to maintain state information between request invocations.
Hope this helps
Oleg
> >
> > One can also use the same logic with HttpClient 3.x.
> >
> > Hope this helps
> >
> > Oleg
> >
> > > Thanks,
> > >
> > > Henrich
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: Potential account lockouts when using authentication using concurrent
http requests
Posted by Henrich Kraemer <he...@us.ibm.com>.
Oleg,
There was a typo. I meant to ask whether "Therefore the SET/clear methods
would not be strictly needed, right?"
But I believe I know the answer.
Thanks,
Henrich
Oleg Kalnichevski
<olegk@apache.org
> To
HttpClient User Discussion
09/16/2008 02:45 <ht...@hc.apache.org>
PM cc
Subject
Please respond to Re: Potential account lockouts when
"HttpClient User using authentication using
Discussion" concurrent http requests
<httpclient-users
@hc.apache.org>
On Tue, 2008-09-16 at 14:24 -0700, Henrich Kraemer wrote:
> Hi Oleg,
>
> I assume with credentials store you talks about the abstraction provided
by
> the CredentialsProvider interface which allows to set or get a credential
> as well as to clear them.
Correct.
> I believe you are saying in HttpClient 4 managing the credential store is
> entirely the responsibility of the application.
> Therefore the get/clear methods would not be strictly needed, right?
>
The getter is used by HttpClient internally to obtain credentials for a
particular scope. #clear() method is not strictly needed
> See also my follow up questions below.
>
> Thanks much,
>
> Henrich
>
>
> > When using HttpClient 4.0 one is advised to do the following:
> >
> > * populate the credentials store with the default credentials if
> > available
> > * execute the request
> > * if the request fails with status code 401 or 407, prompt the user for
> > new credentials
> > * update the credentials store according to the user input
> > * retry
>
> I looked at the ClientInteractiveAuthentication example. Here are some
> excerpts
> boolean trying = true;
> while (trying) {
> ..
> HttpResponse response = httpclient.execute(httpget,
> localContext);
> ..
> HttpEntity entity = response.getEntity();
> if (entity != null) {
> entity.consumeContent();
> }
>
> int sc = response.getStatusLine().getStatusCode();
>
> AuthState authState = null;
> if (sc == HttpStatus.SC_UNAUTHORIZED) {
> // Target host authentication required
> authState = (AuthState) localContext.getAttribute
> (ClientContext.TARGET_AUTH_STATE);
> }
> if (sc == HttpStatus.SC_PROXY_AUTHENTICATION_REQUIRED) {
> // Proxy authentication required
> authState = (AuthState) localContext.getAttribute
> (ClientContext.PROXY_AUTH_STATE);
> }
>
> if (authState != null) {
> ..
> AuthScope authScope = authState.getAuthScope();
> ..
> System.out.print("Enter username: ");
> String user = console.readLine();
> System.out.print("Enter password: ");
> String password = console.readLine();
>
> if (user != null && user.length() > 0) {
> Credentials creds = new UsernamePasswordCredentials
> (user, password);
> httpclient.getCredentialsProvider().setCredentials
> (authScope, creds);
> trying = true;
> } else {
> trying = false;
> }
> } else {
> trying = false;
> }
> }
>
> I would think that some state needs to be carried over when forming the
> response (for digest scheme)
> Is this done via the HttpContext (localContext) which is passed into each
> execute() call?
>
Yes, it is. You may want to take a look at
ClientPreemptiveDigestAuthentication for an example of how local context
can be used to maintain state information between request invocations.
Hope this helps
Oleg
> >
> > One can also use the same logic with HttpClient 3.x.
> >
> > Hope this helps
> >
> > Oleg
> >
> > > Thanks,
> > >
> > > Henrich
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> > For additional commands, e-mail: httpclient-users-help@hc.apache.org
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org