Hello,
I am having trouble disabling every scheme except DIGEST and sending
credentials preemptively.
What I see when I use Wireshark is that the first HTTP request sends
credentials in BASIC mode. The server sends a 401 challenge after which the
client sends the correct DIGEST credentials. For obvious security reasons, I
want to avoid sending credentials in clear text using BASIC authentication.
If possible, I would also like to avoid the challenge step and use
preemptive authentication so that only 1 round trip is needed.
Here is my code:
HttpClient client = new HttpClient();
client.getState().setCredentials(new AuthScope("host", 80,
"securearea"),
new
UsernamePasswordCredentials("username", "password");
List authPrefs = new ArrayList(1);
authPrefs.add(AuthPolicy.DIGEST);
client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY,
authPrefs);
client.getParams().setAuthenticationPreemptive(true);
PostMethod post = new PostMethod("http://host/resource";);
post.setDoAuthentication(true);
int result = client.executeMethod(post);
....
I have noticed that if I uncomment the line that does
setAuthenticationPreemptive(true), the first request does not send any
credentials at all and the 2nd request uses DIGEST credentials
appropriately.
Is there anything I am missing?
Sabari
