subject:"Httpclient \+ HTTPS \+ Proxy \+ BASIC Authentication"

Httpclient + HTTPS + Proxy + BASIC Authentication

2004-03-24 Thread John Melody


Hi,

I have read the notes on the bug in Httpclient V2.0 to do with
using Basic Authentication with a HTTPS Url through a proxy.

One workaround proposed is to use preemptive authentication.

Are the credentials i.e. username, password sent unencrypted to the
target server when Preemptive Authentication is used even through the URL is
a https URL.

There are some notes about a PATCH being available for this problem.
If so, how do I get it - I am currently using HttpCLient V2.0. Can
this version be patched to fix the problem or must I move to a newer
version of httpclient to avail of the patch.

thanks for any help,
John.

regards,
John.
John Melody
SyberNet Ltd.
Galway Business Park,
Dangan,
Galway.
Tel. No. +353 91 514400
Fax. NO. +353 91 514409
Mobile - 087-2345847


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Httpclient + HTTPS + Proxy + BASIC Authentication

2004-03-24 Thread Kalnichevski, Oleg


John,
HttpClient will not/cannot attempt to authenticate with the target server until the 
transport layer (SSL tunnel) is up and running. It does not matter if pre-emptive 
authentication is used or not, SSL takes care of the transport security between the 
client and the target server. Only when authenticating against a proxy using Basic 
scheme, the proxy credentials are sent in clear

Oleg

-Original Message-
From: John Melody [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 13:58
To: Commons HttpClient Project
Subject: RE: Httpclient + HTTPS + Proxy + BASIC Authentication


Hi Oleg,

Thanks for your quick response.

Just to clarify one point - I am not concerned about authenticating
with the proxy - rather I need to do BASIC Authentication with the target
server and I am wondering if I use pre-emptive authentication is the
username
and password creditentials sent to the target server in clear text - before
the full SSL connection is in place.

So when I make the request to the URL i.e.
https://www.targetserver.com/document
via the proxy, the target server is going to come back looking for
username/password credentials becuase the document resource will require
this.
Httpclient will allow me to configure it so that it takes care of this
authentication request from the target server using

post.setDoAuthentication( true );

However, if I am using pre-emptive authentication, has the username and
password gone to the target server unsecured.

thanks for your help,

John


-Original Message-
From: Kalnichevski, Oleg [mailto:[EMAIL PROTECTED]
Sent: 24 March 2004 13:26
To: Commons HttpClient Project
Subject: RE: Httpclient + HTTPS + Proxy + BASIC Authentication



John,

The connection between the client (the agent) and the proxy is always
unencrypted
regardless of the transport mechanism used to access the target server
(plain
or SSL). Therefore, when the Basic authentication scheme is used to
authenticate
with the proxy, the credentials are transmitted in clear case. To my
knowledge
none of the mainstream proxy servers currently implements transport security
between the client (the agent) and the proxy.

The HTTPS + Proxy + BASIC Authentication bug has been fixed in the
3.0-prealpha-nightly
version of HttpClient. Please note that this is unstable development version
and it is incompatible with 2.0 API. If things progress well, we may have
the first official alpha out by the of May for the public review of the new
3.0 API.

http://jakarta.apache.org/commons/httpclient/downloads.html

Cheers,

Oleg

-Original Message-
From: John Melody [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 13:36
To: [EMAIL PROTECTED]
Subject: Httpclient + HTTPS + Proxy + BASIC Authentication


Hi,

I have read the notes on the bug in Httpclient V2.0 to do with
using Basic Authentication with a HTTPS Url through a proxy.

One workaround proposed is to use preemptive authentication.

Are the credentials i.e. username, password sent unencrypted to the
target server when Preemptive Authentication is used even through the URL is
a https URL.

There are some notes about a PATCH being available for this problem.
If so, how do I get it - I am currently using HttpCLient V2.0. Can
this version be patched to fix the problem or must I move to a newer
version of httpclient to avail of the patch.

thanks for any help,
John.

regards,
John.
John Melody
SyberNet Ltd.
Galway Business Park,
Dangan,
Galway.
Tel. No. +353 91 514400
Fax. NO. +353 91 514409
Mobile - 087-2345847


-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]



***
The information in this email is confidential and may be legally privileged.
Access to this email by anyone other than the intended addressee is
unauthorized.  If you are not the intended recipient of this message, any
review, disclosure, copying, distribution, retention, or any action taken or
omitted to be taken in reliance on it is prohibited and may be unlawful.  If
you are not the intended recipient, please reply to or forward a copy of
this message to the sender and delete the message, any attachments, and any
copies thereof from your system.

***

-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


***
The information in this email is confidential and may be legally privileged.  Access

Httpclient + HTTPS + Proxy + BASIC Authentication

RE: Httpclient + HTTPS + Proxy + BASIC Authentication

2 matches

Site Navigation

Mail list logo

Footer information