Camel
  1. Camel
  2. CAMEL-4056

Support for preemptive basic authentication

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Later
    • Affects Version/s: 2.7.2
    • Fix Version/s: 2.10.0
    • Component/s: camel-http
    • Labels:
      None
    • Patch Info:
      Patch Available

      Description

      Currently Camel only sends credentials when a server explicitly prompts for basic authentication. However there're cases where a URL is available to both authenticated as well as unauthenticated parties. In that case the camel-http component won't sent any credentials to the server, even though the credentials are explicitly provided in the URI or Exchange.

      This can be solved by enabling preemptive authentication in Apache HttpClient. In that case the credentials will always be provided whether the server asks for it or not. Enabling this provides a sensible default.

        Issue Links

          Activity

          Hide
          Richard Kettelerij added a comment -

          Rescheduling for 2.9

          Show
          Richard Kettelerij added a comment - Rescheduling for 2.9
          Hide
          Richard Kettelerij added a comment -

          Reverted commit 1132500 for now.

          Show
          Richard Kettelerij added a comment - Reverted commit 1132500 for now.
          Hide
          Claus Ibsen added a comment -

          Richard did you revert this?

          Show
          Claus Ibsen added a comment - Richard did you revert this?
          Hide
          Willem Jiang added a comment -

          @Richard,

          Yeah, you need to the same thing in camel-http4.
          BTW
          Don't forget to update the wiki page of http and http4.

          Show
          Willem Jiang added a comment - @Richard, Yeah, you need to the same thing in camel-http4. BTW Don't forget to update the wiki page of http and http4.
          Hide
          Richard Kettelerij added a comment - - edited

          Willem, Claus,

          Thanks for reporting. I was also thinking about the same, we shouldn't enable preemptive auth by default since it's a potential security risk (although we already allow authentication against arbitrary realms and hosts, which might be a bigger security risk). I'll make this setting non-default asap. Furthermore I'm working on getting it running in camel-http4.

          Show
          Richard Kettelerij added a comment - - edited Willem, Claus, Thanks for reporting. I was also thinking about the same, we shouldn't enable preemptive auth by default since it's a potential security risk (although we already allow authentication against arbitrary realms and hosts, which might be a bigger security risk). I'll make this setting non-default asap. Furthermore I'm working on getting it running in camel-http4 .
          Hide
          Willem Jiang added a comment -

          Hi Richard,
          When I run the some http test I found there are some warning like this

          2011-06-09 16:19:17,272 [main           ] WARN  HttpMethodDirector             - Required credentials not available for BASIC <any realm>@localhost:23001
          2011-06-09 16:19:17,272 [main           ] WARN  HttpMethodDirector             - Preemptive authentication requested but no default credentials available
          

          I think it is caused by you change recently. I don't think enable preemptive basic authentication by default is good idea, because in most case we don't need that.
          Can we change the default value to be false ?

          Show
          Willem Jiang added a comment - Hi Richard, When I run the some http test I found there are some warning like this 2011-06-09 16:19:17,272 [main ] WARN HttpMethodDirector - Required credentials not available for BASIC <any realm>@localhost:23001 2011-06-09 16:19:17,272 [main ] WARN HttpMethodDirector - Preemptive authentication requested but no default credentials available I think it is caused by you change recently. I don't think enable preemptive basic authentication by default is good idea, because in most case we don't need that. Can we change the default value to be false ?
          Hide
          Claus Ibsen added a comment -

          Just noticed these WARN from osgi test

          [RMI TCP Connection(1)-10.0.1.4] WARN org.apache.commons.httpclient.HttpMethodDirector - Preemptive authentication requested but no default credentials available

          I didnt take a look. But I wonder if this change causes WARNs to be logged now?

          Show
          Claus Ibsen added a comment - Just noticed these WARN from osgi test [RMI TCP Connection(1)-10.0.1.4] WARN org.apache.commons.httpclient.HttpMethodDirector - Preemptive authentication requested but no default credentials available I didnt take a look. But I wonder if this change causes WARNs to be logged now?
          Hide
          Richard Kettelerij added a comment -

          Just found out we do mention preemptive auth in the documentation (although no very noticeable)...

          Show
          Richard Kettelerij added a comment - Just found out we do mention preemptive auth in the documentation (although no very noticeable)...
          Hide
          Richard Kettelerij added a comment -

          trunk: 1132500. Currently only for camel-http, I'm evaluation if this applies to camel-http4.

          Show
          Richard Kettelerij added a comment - trunk: 1132500. Currently only for camel-http , I'm evaluation if this applies to camel-http4 .

            People

            • Assignee:
              Richard Kettelerij
              Reporter:
              Richard Kettelerij
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development