DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29439>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29439 Credentials ignored if realm specified in preemptive authentication [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Enhancement Status|NEW |ASSIGNED Target Milestone|--- |3.0 Alpha 2 ------- Additional Comments From [EMAIL PROTECTED] 2004-06-09 09:59 ------- Philippe, Just recently we have had a quite few complaints regarding the way preemptive authentication is handled. The official HttpClient authentication guide has been revised to clarify the gray areas in the 2.0 API primarily concerning the prerequisites expected in order to make preemptive authentication functional. Rather unfortunately the site has not been redeployed yet, so the updated authentication guide is not available at the moment. You can see the xdoc source at the following location http://cvs.apache.org/viewcvs.cgi/jakarta-commons/httpclient/xdocs/authentication.xml?rev=1.5.2.4&only_with_tag=HTTPCLIENT_2_0_BRANCH&view=markup > But I don't personally think it is defensive enough since it disable > preemptive auth and it could result in large performance degradation > since you have to repeat (multi-megabytes?) POST requests two times > to get through. Preemptive authentication is not the best answer to this problem. The problem can be much better addressed by using so called 'expect-continue' handshake. See ExpectContinueMethod method's javadoc for details. The entire authentication framework in HttpClient has been completely rewritten for the 3.0 release. With HttpClient 3.0 one should already get a warning in case of missing authentication credentials. Furthermore, it also provides a better API for credentials assignment and retrieval. I will also try to come up with a better way to assign default credentials. So, stay tuned Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]