cvs commit: jakarta-commons/httpclient/xdocs authentication.xml

Tue, 01 Jun 2004 13:56:59 -0700 

olegk       2004/06/01 13:56:52

  Modified:    httpclient/xdocs Tag: HTTPCLIENT_2_0_BRANCH
                        authentication.xml
  Log:
  PR #29062 ([API Doc] Improve the description of the preemptive authentication)
  
  Contributed by Oleg Kalnichevski
  Reviewed by Michael Becke
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.5.2.4   +37 -6     jakarta-commons/httpclient/xdocs/authentication.xml
  
  Index: authentication.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-commons/httpclient/xdocs/authentication.xml,v
  retrieving revision 1.5.2.3
  retrieving revision 1.5.2.4
  diff -u -r1.5.2.3 -r1.5.2.4
  --- authentication.xml        21 Aug 2003 16:07:31 -0000      1.5.2.3
  +++ authentication.xml        1 Jun 2004 20:56:52 -0000       1.5.2.4
  @@ -6,6 +6,7 @@
       <title>HttpClient Authentication Guide</title>
       <author email="[EMAIL PROTECTED]">Jeff Dever</author>
       <author email="[EMAIL PROTECTED]">Adrian Sutton</author>
  +    <author email="oleg -at- ural.ru">Oleg Kalnichevski</author>
       <revision>$Id$</revision>
     </properties>
   
  @@ -22,8 +23,8 @@
                the only thing a developer must do is actually provide the login
                credentials.  These credentials are stored in the HttpState instance
                and can be set or retrieved using the <code>setCredentials(String 
realm,
  -             Credentials cred)</code> and <code>getCredentials(String realm)</code>
  -             methods.</p>
  +             String host, Credentials cred)</code> and <code>getCredentials(String 
realm,
  +             String host)</code> methods.</p>
   
                <p><i>Note:</i> To set default Credentials for any realm that has not 
been
                explicitly specified, pass in <code>null</code> as the value of
  @@ -41,7 +42,15 @@
   
       <source>client.getState().setAuthenticationPreemptive(true);</source>
   
  -    <p>To enable preemptive authentication by default for all newly created
  +             <p>Preemptive authentication mode also requires default Credentials to 
be set 
  +             for the target or proxy host against which preemptive authentication 
is to be 
  +             attempted. Failure to provide default credentials will render the 
preemptive 
  +             authentication mode ineffective.</p>
  +
  +<source>Credentials defaultcreds = new UsernamePasswordCredentials("username", 
"password");
  +client.getState().setCredentials(null, "myhost", defaultcreds);</source>
  +
  +     <p>To enable preemptive authentication by default for all newly created
       <tt>HttpState</tt>'s, a system property can be set, as shown below.</p>
   
                <source>setSystemProperty(Authenticator.PREEMPTIVE_PROPERTY, 
"true");</source>
  @@ -58,6 +67,28 @@
                a userid and password in the Proxy-Authorization header field without
                receiving another challenge from the proxy server.</blockquote>
                </subsection>
  +             <subsection name="Security aspects of server authentication">
  +
  +             <p>Use default credentials with caution when developing applications 
  +        that may need to communicate with untrusted web sites or web applications. 
When 
  +        preemptive authentication is activated or credentials are not explicitly 
given 
  +        for a specific authentication realm and host HttpClient will use default 
credentials 
  +        to try to authenticate with the target site. If you want to avoid sending 
sensitive 
  +        credentials to an untrusted site, narrow the credentials scope as much as 
possible: 
  +        always specify the host and, when known, the realm the credentials are 
intended for.
  +        </p>
  +        <p>
  +        Setting credentials with <code>null</code> host and realm values is highly 
  +        discouraged in production applications. Doing this will result in the 
credentials 
  +        being sent for all authentication attempts (all requests in the case of 
  +        preemptive authentication). Use of this setting should be limited to 
debugging 
  +        only.
  +        </p>
  +<source>// To be avoided unless in debug mode
  +Credentials defaultcreds = new UsernamePasswordCredentials("username", "password");
  +client.getState().setCredentials(null, null, defaultcreds);</source>
  +
  +             </subsection>
        </section>
   
        <section name="Proxy Authentication">
  @@ -150,9 +181,9 @@
        </section>
   
     <section name="Examples">
  -      <p>There is an <a 
href="http://cvs.apache.org/viewcvs.cgi/*checkout*/jakarta-commons/httpclient/src/examples/BasicAuthenticatonExample.java?rev=HEAD&amp;content-type=text/plain";>example</a>
 
  +      <p>There is an <a 
href="http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/examples/BasicAuthenticationExample.java?rev=1.1.2.3&amp;only_with_tag=HTTPCLIENT_2_0_BRANCH";>example</a>
 
         of basic authentication available in the       
  -      <a 
href="http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/examples/";>example
 directory</a> in CVS.
  +      <a 
href="http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/src/examples/?only_with_tag=HTTPCLIENT_2_0_BRANCH";>example
 directory</a> in CVS.
         </p>
     </section>
     
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to