Hello Jing, null is the "default realm", where the HttpClient looks if there are no credentials for the specific realm, or if it doesn't know the realm because it performs preemptive authentication.
Why the server accepts empty credentials is a different question. Probably a misconfiguration on the server side. Did you verify by wire log that the authentication actually takes place? Maybe the state holds a session cookie from a previous request and the server does not require authentication for the following ones. For example, WebSphere Application Server would behave like that if an LTPA cookie is sent by the client. hope that helps, Roland Jing Chen <[EMAIL PROTECTED]> 03.06.2004 00:06 Please respond to "Commons HttpClient Project" To: "Commons HttpClient Project (E-mail)" <[EMAIL PROTECTED]> cc: Subject: authenticate problem I have an application that requires authentication. I user a timer to schedule a task that will access the same application through httpClient. I am surprised to see the following statement did pass the authentication: client.getState().setCredentials (null,new UsernamePasswordCredentials()); 1. Can anybody explain why? 2. I did a little experiement - if I don't call authenticate(), then the client.executeMethod(new PostMethod(http://myapp.com/myapp)) will fail becaue no credentials available for realm x at host xxx. However, if I call authenticate(), even to authenticate empty credential with null realm, I get pass for the next client.executeMethod(...). Why can I get authenticated on realm x while I only did authentication for null?? Thanks Jing