[jira] Created: (HTTPCLIENT-872) Add preemptive authentication

Add preemptive authentication
-----------------------------

                 Key: HTTPCLIENT-872
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-872
             Project: HttpComponents HttpClient
          Issue Type: Improvement
          Components: HttpAuth
    Affects Versions: 4.0 Final
            Reporter: Gerald Turner
            Priority: Trivial
         Attachments: PreemptiveAuth.patch

Wishlist request for preemptive authentication to be included in the API, like HttpClient 3.x had.  There is an example ClientPreemptiveBasicAuthentication.java that uses HttpRequestInterceptor which I had adapted to my application and it works fine.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gerald Turner updated HTTPCLIENT-872:
-------------------------------------

    Attachment: PreemptiveAuth.patch

Patch which implements preemptive authentication

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12751160#action_12751160 ]

Gerald Turner commented on HTTPCLIENT-872:
------------------------------------------

Patch has a few caveats.

I tried following the project style as best I could, but there were a few arbitrary decisions:

• New parameter is AuthPNames.PREEMPTIVE_AUTHENTICATION with accessors in AuthParams and AuthParamBean.  I could have chosen ClientPNames since that's where HANDLE_AUTHENTICATION lives.

• New PreemptiveAuth HttpRequestInterceptor class is in org.apache.http.impl.auth package.  It only works with BasicAuthScheme.  I don't believe there is any validity with trying to implement preemptive authentication for Digest and NTLM types since they include server generated 'nonce' values as part of the challenge.

• Since the request interceptors are initialized by DefaultHttpClient.createHttpProcessor patch changes the code like so:

    @Override
    protected BasicHttpProcessor createHttpProcessor() {
        BasicHttpProcessor httpproc = new BasicHttpProcessor();
        httpproc.addInterceptor(new RequestDefaultHeaders());
        // Required protocol interceptors
        httpproc.addInterceptor(new RequestContent());
        httpproc.addInterceptor(new RequestTargetHost());
        // Recommended protocol interceptors
        httpproc.addInterceptor(new RequestClientConnControl());
        httpproc.addInterceptor(new RequestUserAgent());
        httpproc.addInterceptor(new RequestExpectContinue());
        // HTTP state management interceptors
        httpproc.addInterceptor(new RequestAddCookies());
        httpproc.addInterceptor(new ResponseProcessCookies());
        // HTTP authentication interceptors
        if (AuthParams.getPreemptiveAuthentication(getParams()))
            httpproc.addInterceptor(new PreemptiveAuth());
        httpproc.addInterceptor(new RequestTargetAuthentication());
        httpproc.addInterceptor(new RequestProxyAuthentication());
        return httpproc;
    }

...there is only one other method createXXX method which peeks at getParams(), createClientConnectionManager, so it appears to follow the same style.

• I added a testPreemptiveAuthentication case to TestClientAuthentication.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12751169#action_12751169 ]

Gerald Turner commented on HTTPCLIENT-872:
------------------------------------------

Hey Oleg, before you commit this patch, please note that I put an incorrect "@since 4.0 + 1" in the javadoc for PreemptiveAuth, probably should be "@since 4.1.0", eh?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12751183#action_12751183 ]

Oleg Kalnichevski commented on HTTPCLIENT-872:
----------------------------------------------

Gerald,

This one is going to be a difficult one. I think we should approach the problem in several incremental steps. Can we start off by implementing interceptors for caching Basic and Digest auth states in order to avoid having to re-authenticate subsequent requests that share the same execution context? Something along the line of this example:

http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java

Once we have that, we can think about adding a mechanism for preemtive initialization of the Basic scheme.

Cheers

Oleg

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12751252#action_12751252 ]

Gerald Turner commented on HTTPCLIENT-872:
------------------------------------------

I see what you mean — ran some tests and it's apparent that reused connections keep repeating the authentication handshake, need to cache the Authorization header, worthy of a separate JIRA, yeah?  Digest is more complicated since it'll need to increment the "nc" value and generate a new "cnonce" each subsequent request.  I have no idea about NTLM.

With preemptive authentication, do you believe that the "nonce" can be pre-seeded?  Maybe some servers can be tricked, but that doesn't seem like the way the protocol was intended.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12751373#action_12751373 ]

Oleg Kalnichevski commented on HTTPCLIENT-872:
----------------------------------------------

> need to cache the Authorization header, worthy of a separate JIRA, yeah?

I think it might as easy as just caching AuthScheme instance. This looks like a related issue to me, but feel free to open a separate JIRA for it.

> With preemptive authentication, do you believe that the "nonce" can be pre-seeded? Maybe some servers can be tricked, but that doesn't
> seem like the way the protocol was intended.

It is certainly feasible, though a bad idea from the security standpoint. However, some people did express interest in having such a possibility. Anyways, reusing the "nonce" between requests within a session does seem reasonable.

Oleg



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski updated HTTPCLIENT-872:
-----------------------------------------

         Priority: Major  (was: Trivial)
    Fix Version/s: 4.1 Alpha1

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski resolved HTTPCLIENT-872.
------------------------------------------

    Resolution: Fixed

* HttpClient can now persist authentication data between request executions as long as they share the same execution context.
* It has also become much easier to make HttpClient authenticate preemptively by pre-populating authentication data cache

Compare old code (4.0):
http://svn.apache.org/repos/asf/httpcomponents/httpclient/branches/4.0.x/httpclient/src/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java
http://svn.apache.org/repos/asf/httpcomponents/httpclient/branches/4.0.x/httpclient/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java

with new one (4.1):
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientPreemptiveBasicAuthentication.java
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java

Please review / test / give feedback

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12779837#action_12779837 ]

Asankha C. Perera commented on HTTPCLIENT-872:
----------------------------------------------

This is excellent.. the new example looks very elegant and is much easier to use

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...