Hello, I am having trouble disabling every scheme except DIGEST and sending credentials preemptively.
What I see when I use Wireshark is that the first HTTP request sends credentials in BASIC mode. The server sends a 401 challenge after which the client sends the correct DIGEST credentials. For obvious security reasons, I want to avoid sending credentials in clear text using BASIC authentication. If possible, I would also like to avoid the challenge step and use preemptive authentication so that only 1 round trip is needed. Here is my code: HttpClient client = new HttpClient(); client.getState().setCredentials(new AuthScope("host", 80, "securearea"), new UsernamePasswordCredentials("username", "password"); List authPrefs = new ArrayList(1); authPrefs.add(AuthPolicy.DIGEST); client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPrefs); client.getParams().setAuthenticationPreemptive(true); PostMethod post = new PostMethod("http://host/resource"); post.setDoAuthentication(true); int result = client.executeMethod(post); .... I have noticed that if I uncomment the line that does setAuthenticationPreemptive(true), the first request does not send any credentials at all and the 2nd request uses DIGEST credentials appropriately. Is there anything I am missing? Sabari