DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-27 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials

[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||FIXED



--- Additional Comments From [EMAIL PROTECTED]  2003-03-27 21:22 ---
Patch applied

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-27 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials

[EMAIL PROTECTED] changed:

   What|Removed |Added

 CC||[EMAIL PROTECTED]



--- Additional Comments From [EMAIL PROTECTED]  2003-03-27 21:20 ---
*** Bug 16861 has been marked as a duplicate of this bug. ***

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-24 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-24 20:56 ---
Created an attachment (id=5482)
Patch (take 2)

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-21 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-22 04:23 ---
> - My goal, though, was to retain full API compatibility. I agree that NTLM 
class does not belong to the root 'httpclient' package and should be moved to
'httpclient.auth' package.

* That's fine, it can be moved whenever it's ready to move.  I only noticed 
because I'd already made my local copy package private and saw the compile 
errors.

>- I discovered this assumption while working on the patch and found it a bit
odd. I have taken care that the modified code does honor this assumption,
however, I'd also prefer NT domain to be returned as authentication realm. This
said, I have confess about being absolutely clueless as far as NTLM protocol is
concerned. I do not know if it is feasible at all. So, help would be 
appreciated

* Using the NT domain would be nice, but unfortunately it is one of the things 
stored in the credentials we're trying to find.  Also, a server may be in any 
number of NT domains for authentication purposes, or an entire NT domain could 
be a child of another domain (they form a tree structure).  The one constant 
that I have been able to find in the process, is the host name (which 
unfortunately can be substituted for a different host name or an ip) as with 
no realms any authentication challenge from a server will accept the same 
credentials as any other challenge from that server.  If there is a better way 
to go about it, it would be good to hear about it, but I don't think there is.

The rest we seem to agree on.  I'll try to run a few tests to make sure 
everything is working as expected this afternoon, but it all looks good to me 
so I don't expect any problems.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-21 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-21 14:58 ---
>> * The NTLM class is to become package access in the near future, but this 
patch requires it to be public.  Probably should move the NTLM class into the 
auth package.  Final say on when this happens is up to Jandalf but I'm all for 
doing it now while you're refactoring.  Alternatively the NTLM class could be 
rolled into the NTLMScheme class, but it may make the class a bit big.


- My goal, though, was to retain full API compatibility. I agree that NTLM class
does not belong to the root 'httpclient' package and should be moved to
'httpclient.auth' package.


>> * The realm for NTLM has previously been considered to be the hostname of the 
server being connected to.  Without this assumption it is impossible to 
connect to two NTLM servers in parallel and requires work arounds even when 
connecting sequentially.  We could document getRealm to indicate that if it 
returns null, the realm should be considered to be the host name of the 
server, but I would prefer to see the domain name returned by getRealm.

- I discovered this assumption while working on the patch and found it a bit
odd. I have taken care that the modified code does honor this assumption,
however, I'd also prefer NT domain to be returned as authentication realm. This
said, I have confess about being absolutely clueless as far as NTLM protocol is
concerned. I do not know if it is feasible at all. So, help would be appreciated

>> 
* In NTLMScheme, there is a class variable called ntmlchallenge, it probably 
should be ntlmchallenge (note lm/ml difference).

Oooops. Corrected

>> * AuthChallengeParser.extractScheme returns the result in all lower case, 
however getSchemeName() returns the name with varying capitals. It seems 
neater to have AuthChallengeParser.extractScheme().equals(scheme.getSchemeName
()) if the scheme matches the challenge.

Makes sense. Corrected

>> * There's currently no way to register a new scheme to be used, eventually we 
should add one, though pluggable auth modules wasn't scheduled until 2.1 or 
later (the lack of this ability probably renders the above point moot).

- It occurred to me as well. However, pluggable architecture should encompass no
only authentication, but other aspects (pluggable cookie policies, for
instance). This definitely would be too much for the time being. Such redesign
should be preceded by implementation of a better configuration architecture.
Definitely a post-2.0 feature

>> * Authenticator seems to have almost exclusively become a wrapper for 
HttpAuthenticator.  Should we make it a full wrapper and depreciate the class? 
(Definitely don't remove it until after 2.0 though)

- That will be the next step for me, if the patch gets approved

>>* Maybe I'm just up to late but there seems to be some redundant code on line 
216 of Authenticator:

No, it's just silly me ;-)

Many thanks, Adrian, for your input

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-21 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-21 13:43 ---
Hi Oleg,
A few comments as I come across things:

* The NTLM class is to become package access in the near future, but this 
patch requires it to be public.  Probably should move the NTLM class into the 
auth package.  Final say on when this happens is up to Jandalf but I'm all for 
doing it now while you're refactoring.  Alternatively the NTLM class could be 
rolled into the NTLMScheme class, but it may make the class a bit big.

* The realm for NTLM has previously been considered to be the hostname of the 
server being connected to.  Without this assumption it is impossible to 
connect to two NTLM servers in parallel and requires work arounds even when 
connecting sequentially.  We could document getRealm to indicate that if it 
returns null, the realm should be considered to be the host name of the 
server, but I would prefer to see the domain name returned by getRealm.

* In NTLMScheme, there is a class variable called ntmlchallenge, it probably 
should be ntlmchallenge (note lm/ml difference).

* AuthChallengeParser.extractScheme returns the result in all lower case, 
however getSchemeName() returns the name with varying capitals. It seems 
neater to have AuthChallengeParser.extractScheme().equals(scheme.getSchemeName
()) if the scheme matches the challenge.

* There's currently no way to register a new scheme to be used, eventually we 
should add one, though pluggable auth modules wasn't scheduled until 2.1 or 
later (the lack of this ability probably renders the above point moot).

* Considering that at some point we are going to make schemes pluggable, 
should we add a "canHandle" method which can be used to determine if the 
Scheme can handle the given authentication challenge?

* Following along with the above, HttpAuthenticator.selectAuthScheme could be 
slightly more generic by using either the canHandle method if one is added or 
by using the getSchemeName if not to determine which scheme to return.  
Admittedly this code may get messy as unfortunately there's no way to enforce 
a class to have a constructor which takes just a String parameter.

* Authenticator seems to have almost exclusively become a wrapper for 
HttpAuthenticator.  Should we make it a full wrapper and depreciate the class? 
(Definitely don't remove it until after 2.0 though)

* Maybe I'm just up to late but there seems to be some redundant code on line 
216 of Authenticator:

headers = (Header [])headerlist.toArray(new Header[headerlist.size()]);
for (int i = 0; i < headers.length; i++) {
headers[i] = (Header)headerlist.get(i);
}

It seems to me that toArray should copy the contents of the list into the 
array before returning, so there's then no need for the for loop.

Generally I think the architecture looks really good, I haven't really gone 
over the actual code implementation and haven't had a chance to set up tests 
yet, but will hopefully get to that tomorrow.  For now it's time for bed.

Hope that gives you something to think about anyway.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-21 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-21 11:04 ---
- A few more polishing touches. 
- All new classes have been documented. 

Folks, your feedback will be hugely appreciated
Oleg

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-21 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-21 11:01 ---
Created an attachment (id=5459)
Patch (take 1)

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-19 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-19 19:59 ---
While working on a fix for this bug I have come to realize that any sort of
clean solution would require an almost complete authentication logic redesign.
Authenticator#authenticate method needed to be more modular, so that HttpClient
class could access information about authentication scheme being used. Besides,
authentication parsing logic was a complete mess. I was not sure I could fix it
without introducing subtle bugs

IMPORTANT: The patch retains full API compatibility with the existing version.
No existing code should be broken.

This patch should also fix the following bugs:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17158
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16861

You'll have to perform some manual adjustments after having applied the patch:
- create org.apache.commons.httpclient.auth package
- move AuthChallengeParser, AuthenticationException,
MalformedChallengeException, AuthScheme, AuthSchemeBase, BasicScheme,
DigestScheme, NTLMScheme, RFC2617Scheme, HttpAuthenticator classes to the newly
created package

Oleg
PS: New classes have not been documented yet

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-19 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-19 19:39 ---
Created an attachment (id=5423)
Patch draft (complete redesign of authentication components)

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-17 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials

[EMAIL PROTECTED] changed:

   What|Removed |Added

 CC||commons-httpclient-
   ||[EMAIL PROTECTED]
 AssignedTo|commons-httpclient- |[EMAIL PROTECTED]
   |[EMAIL PROTECTED]  |

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-11 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials

[EMAIL PROTECTED] changed:

   What|Removed |Added

   Priority|Other   |High
   Target Milestone|--- |2.0 Beta 1
Version|1.0 Alpha   |2.0 Alpha 3

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 17884] - Multiple DIGEST authentication attempts with same credentials

2003-03-11 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials





--- Additional Comments From [EMAIL PROTECTED]  2003-03-11 16:30 ---
Created an attachment (id=5268)
Debug trace

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]