You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Roei Erez <ro...@mainsoft.com> on 2007/08/12 13:27:34 UTC
Apache httpclient with NTLM
Hi all,
I am developing a server-side application, where different users (each
one has his own credentials) make http requests against a remote server.
I am using Apache HTTPClient in the server side (let's call it 'A') to
make the actual HTTP Requests against another remote server (let's call
it B).
The authentication method of server 'B' is NTLM.
My problem is that NTLM authenticate a connection, and therefore, after
one user makes an HTTP request using one connection, the connection is
authenticated with his credentials and the next user that gets this
pooled connection will use an authenticated connection that is populated
with the first user credentials.
I think that the way to solve this problem should be by having the
HttpConnectionManager, on some cases, maintain pools by host and user
credentials, and not only by host.
One of the problems is that this requires changes to the API of
HttpConnectionManager.
Does any one have an idea of how to handle this annoying issue?
Regards,
Roei Erez.
RE: Apache httpclient with NTLM
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Sun, 2007-08-12 at 06:30 -0700, Roei Erez wrote:
> Thanks for the quick response.
> I would like to get involved in implementing this feature.
> I have read the 'ConnectionManagementDesign' in the wiki, and want to
> come up with a good and clean design for this issue(assuming no one has
> done it already).
> Is this accepted?
Sure. You are very welcome to jump in.
> Is there anyone that is dealing with this issue that I should talk to?
Roland Weber has been doing most of the work on the connection
management front lately. So, you should definitely synchronize your
activities with him. He might be off-line until Friday next week,
though. Meanwhile I'll be happy to help you get up to the speed with the
4.0 codebase. Please do note, though, HttpClient 4.0 is still in the
very early stage of development. It is unlikely to be suitable for use
in production for many more months to come. Another important thing I
should mention: NTLM auth scheme has not yet been ported to the new API.
In general NTLM is a very thorny and controversial subject. We are still
trying to come up with a reasonable strategy of supporting NTLM
authentication in future versions of HttpClient. You may want to take a
look at this resource for details [1]
Cheers
Oleg
[1]
http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedNTLMQuestions
> Thanks in advance,
> Roei Erez.
>
> -----Original Message-----
> From: Oleg Kalnichevski [mailto:olegk@apache.org]
> Sent: Sunday, August 12, 2007 2:07 PM
> To: HttpComponents Project
> Subject: Re: Apache httpclient with NTLM
>
> On Sun, 2007-08-12 at 04:27 -0700, Roei Erez wrote:
> > Hi all,
> >
> > I am developing a server-side application, where different users (each
> > one has his own credentials) make http requests against a remote
> server.
> >
> > I am using Apache HTTPClient in the server side (let's call it 'A') to
> > make the actual HTTP Requests against another remote server (let's
> call
> > it B).
> >
> > The authentication method of server 'B' is NTLM.
> >
> > My problem is that NTLM authenticate a connection, and therefore,
> after
> > one user makes an HTTP request using one connection, the connection is
> > authenticated with his credentials and the next user that gets this
> > pooled connection will use an authenticated connection that is
> populated
> > with the first user credentials.
> >
> >
> >
> > I think that the way to solve this problem should be by having the
> > HttpConnectionManager, on some cases, maintain pools by host and user
> > credentials, and not only by host.
> >
> > One of the problems is that this requires changes to the API of
> > HttpConnectionManager.
> >
> > Does any one have an idea of how to handle this annoying issue?
> >
>
> Hi Roei
>
> We are aware of the problem [1] and will provide a proper solution to it
> in HttpClient 4.0. As far as HttpClient 3.1 the only feasible workaround
> (besides developing a custom connection manager from scratch) is to
> maintain a separate connection manager instance on a per user basis.
>
> Oleg
>
> [1] https://issues.apache.org/jira/browse/HTTPCLIENT-652
>
> > Regards,
> >
> > Roei Erez.
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> httpcomponents-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: Apache httpclient with NTLM
Posted by Roland Weber <os...@dubioso.net>.
Roei Erez wrote:
> I would like to get involved in implementing this feature.
That is very welcome!
> I have read the 'ConnectionManagementDesign' in the wiki,
> and want to come up with a good and clean design for this issue
That is even more welcome :-)
At the time I collected my thoughts in the Wiki, I was
still considering to add some kind of auth state to the
route itself. That is no longer the case. I'll have to
read through the page soon, and maybe update it.
I see two different aspects to connection authentication.
First, there is the authentication state as seen by
HttpAuth, where you would for example store some random
challenge or such stuff. That state needs to be updated
while the connection is used, and has to be available
when the connection is re-used.
Second, there is the authentication level/info/whatever
as seen by the connection manager. That is information
needed to decide on connection re-use in the presence
of authentication state. My view on this is as follows:
When allocating a connection, the application passes
an object that represents the available credentials.
Something like "I can authenticate to the proxy as
XYZ and to the server as VWQ". The connection manager
can then return a closed or unauthenticated connection,
or one that is proxy-authed as XYZ, or one that is
server-authed as VWQ, or one that has both auths.
But the connection manager must not return a connection
that is proxy-authed as something else than XYZ, or one
that is server-authed as something else than VWQ.
If no such object is passed, only connections without
authentication can be re-used. To keep this stuff
manageable, I thought about something like:
interface ConnAuthLevel { // or ConnAuthInfo or whatever
boolean isUpgradeableTo(ConnAuthInfo);
boolean isReachableFrom(ConnAuthInfo);
}
Two methods are needed so that both objects, the
one passed by the application and the one stored
with the connection, can disallow the re-use.
A default implementation of the interface would
simply wrap an object or null, allowing upgrade
from null but otherwise requiring the same object
in order to allow re-use.
I would like to keep HttpConn and HttpAuth independent
of eachother, hence the separate AuthState in HttpAuth
and ConnAuthLevel in HttpConn. That could be tied
together in a module-auth-ntlm which depends on both.
Thoughts, suggestions, questions are welcome.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
RE: Apache httpclient with NTLM
Posted by Roei Erez <ro...@mainsoft.com>.
Thanks for the quick response.
I would like to get involved in implementing this feature.
I have read the 'ConnectionManagementDesign' in the wiki, and want to
come up with a good and clean design for this issue(assuming no one has
done it already).
Is this accepted?
Is there anyone that is dealing with this issue that I should talk to?
Thanks in advance,
Roei Erez.
-----Original Message-----
From: Oleg Kalnichevski [mailto:olegk@apache.org]
Sent: Sunday, August 12, 2007 2:07 PM
To: HttpComponents Project
Subject: Re: Apache httpclient with NTLM
On Sun, 2007-08-12 at 04:27 -0700, Roei Erez wrote:
> Hi all,
>
> I am developing a server-side application, where different users (each
> one has his own credentials) make http requests against a remote
server.
>
> I am using Apache HTTPClient in the server side (let's call it 'A') to
> make the actual HTTP Requests against another remote server (let's
call
> it B).
>
> The authentication method of server 'B' is NTLM.
>
> My problem is that NTLM authenticate a connection, and therefore,
after
> one user makes an HTTP request using one connection, the connection is
> authenticated with his credentials and the next user that gets this
> pooled connection will use an authenticated connection that is
populated
> with the first user credentials.
>
>
>
> I think that the way to solve this problem should be by having the
> HttpConnectionManager, on some cases, maintain pools by host and user
> credentials, and not only by host.
>
> One of the problems is that this requires changes to the API of
> HttpConnectionManager.
>
> Does any one have an idea of how to handle this annoying issue?
>
Hi Roei
We are aware of the problem [1] and will provide a proper solution to it
in HttpClient 4.0. As far as HttpClient 3.1 the only feasible workaround
(besides developing a custom connection manager from scratch) is to
maintain a separate connection manager instance on a per user basis.
Oleg
[1] https://issues.apache.org/jira/browse/HTTPCLIENT-652
> Regards,
>
> Roei Erez.
>
>
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail:
httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail:
httpcomponents-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org
Re: Apache httpclient with NTLM
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Sun, 2007-08-12 at 04:27 -0700, Roei Erez wrote:
> Hi all,
>
> I am developing a server-side application, where different users (each
> one has his own credentials) make http requests against a remote server.
>
> I am using Apache HTTPClient in the server side (let's call it 'A') to
> make the actual HTTP Requests against another remote server (let's call
> it B).
>
> The authentication method of server 'B' is NTLM.
>
> My problem is that NTLM authenticate a connection, and therefore, after
> one user makes an HTTP request using one connection, the connection is
> authenticated with his credentials and the next user that gets this
> pooled connection will use an authenticated connection that is populated
> with the first user credentials.
>
>
>
> I think that the way to solve this problem should be by having the
> HttpConnectionManager, on some cases, maintain pools by host and user
> credentials, and not only by host.
>
> One of the problems is that this requires changes to the API of
> HttpConnectionManager.
>
> Does any one have an idea of how to handle this annoying issue?
>
Hi Roei
We are aware of the problem [1] and will provide a proper solution to it
in HttpClient 4.0. As far as HttpClient 3.1 the only feasible workaround
(besides developing a custom connection manager from scratch) is to
maintain a separate connection manager instance on a per user basis.
Oleg
[1] https://issues.apache.org/jira/browse/HTTPCLIENT-652
> Regards,
>
> Roei Erez.
>
>
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpcomponents-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpcomponents-dev-help@jakarta.apache.org