Oleg,
Point well taken. I found out, as you pointed out, that handling the authentication manually with HttpClient 2.0 is not as easy (or as ideal) as I had hoped.
I have decided to go the 'expect-continue' route.
Thanks everyone for your help with this, Jen
On Jul 14, 2004, at 11:43 AM, Oleg Kalnichevski wrote:
This can be done if you are prepared to handle the entire authentication
process manually (actually with HttpClient 3.0 it can be done quite
easily). The question is if it is really worth the trouble. It is
important to understand Digest authentication scheme is more secure
primarily because it involves frequent challenge-response exchanges. The
server generates a nonce which is used by the HTTP clients to produce
the password digest. If the server is configured to change the nonce too
often, that would basically defeat any sort of preemptive authentication
mechanism, in the worst case rendering it even less efficient than
'expect-continue' handshake. If the server is configured to keep the
nonce for too long, that would inevitably make Digest authentication
less secure. It is not impossible to strike a balance between efficiency
and security. The question is whether the performance gains really
justify additional complexity
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
