DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29062>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29062 [API Doc] Improve the description of the preemptive authentication ------- Additional Comments From [EMAIL PROTECTED] 2004-05-28 03:05 ------- > (1) when credentials are set for null host and null realm. We should have never > allowed that in the very first place, but we did, and now we have to live with > that. I believe at the very least we should warn the users about security > implications of setting default credentials for null host and realm Completely agree. Having null host and realm is of little practical use. I think we should just document it heavily and let people shoot themselves in the foot if they so choose. > (2) HttpClient 2.0 does not take target port into consideration when selecting > credentials for the HTTP state. This also should have not have happened, but it > did. So, even if default credentials are set for a specific host, HttpClient can > send them to a untrusted application if it is hosted on a different port True, but this applies to non-preemptive authentication as well. > (3) I believe there are at least several web platforms capable of supporting > different authentication realms defined within the same virtual host. There's no > way HttpClient can differentiate those realms unless it receives an > authorization challenge. Agreed. Preemptive authentication, as is currently stands, cannot be effectively used in this case. > 2 and 3 are really fringe cases but they are not impossible. Think of a hosting > company serving massive number of virtual sites off the same web platform In this case we should be okay, since each virtual host can be differentiated by host name. > I do admit that the part about being cautious when using preemptive may be badly > worded, but I do think it should be there Good, I think we're in agreement then :) We should keep some warnings about preemptive authentication, but try to focus on the areas where it could be a potential problem in practice. In my opinion the only real issue is in regard to hosts with multiple realms. Mike --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]