HTTP Basic authentication

Poster Content
nk4um Moderator
Posts: 901
February 9, 2012 21:07

The defaults are as specified - so by default we're saying only use Digest or Basic (in that order). So you will not need to change any code - the defaults should just work you. I'll send the new http-client module for you to try out.

Like · Post Reply
nk4um Moderator
Posts: 901
February 9, 2012 21:04

OK it was actually better to implement this on the config - since the order is specified on the client not on the credentials. Here's the docs for what I've implemented...


The current default configuration is as follows:

<config>
  <followRedirects>true&lt;/followRedirects&gt;
  <retryAttempts>3&lt;/retryAttempts&gt;
  <maxConnectionsPerHost>4&lt;/maxConnectionsPerHost&gt;
  <maxTotalConnections>10&lt;/maxTotalConnections&gt;
  <maxAcceptableContentLength>-1&lt;/maxAcceptableContentLength&gt;
  <stateExpirationTime>600&lt;/stateExpirationTime&gt;
  <connectTimeout>2000&lt;/connectTimeout&gt;
  <timeout>5000&lt;/timeout&gt;
  <expectContinue>true&lt;/expectContinue&gt;
  <userAgent>NetKernel 4.x.x, active:httpXXXX client, Apache Client 4.1&lt;/userAgent&gt;
  <authSchemePreferenceOrder>Digest,Basic&lt;/authSchemePreferenceOrder&gt;
&lt;/config&gt;

Supply a document with the overrides you wish to use, e.g. :

<config>
  <followRedirects>false&lt;/followRedirects&gt;
  <expectContinue>false&lt;/expectContinue&gt;
&lt;/config&gt;

Warning: both maxConnectionsPerHost and maxTotalConnections are global values in the internal code, so they may get effected if multiple clients use the accessor concurrently.

authSchemePreferenceOrder

This should be a comma separated list of authentication scheme names. Values are case sensitive. Valid values are:

  • Basic
  • Digest
  • NTLM
  • negotiate
Like · Post Reply
nk4um Moderator
Posts: 901
February 9, 2012 20:27

Hi Glenn - I think I have it worked out. I'm guessing that you're talking to a Windows server which is offering Kerberos as a priority authentication method? If so then it would appear that the Apache client is attempting to use this first - it must take this as its default priority level.

It appears to be simple to specify an order list of protocol's to use...

http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html#d5e915

So we'll tweak the credential transreptor so that you can provide an order list like this...

<httpCredentials>
  <host>browserspy.dk&lt;/host&gt;
  <port>80&lt;/port&gt;
  <username>test&lt;/username&gt;
  <password>test&lt;/password&gt;
  <authSchemePreferenceOrder>BASIC,DIGEST,...&lt;/authSchemePreferenceOrder&gt;
&lt;/httpCredentials&gt;

...(we'll have to work out the possible values of the Scheme string's and list them in the docs).

I'll send you an update tomorrow and we'll see if this sorts it.

Cheers,

P.

Like · Post Reply
nk4um User
Posts: 39
February 9, 2012 18:25

Hi

Thanks for the replies Peter. I don't think the <dreference> (or lack thereof) is the problem. For example, this:

<sequence>
  <literalassignment="credentials" type="xml">
    <httpCredentials>
      <host>browserspy.dk&lt;/host&gt;
      <port>80&lt;/port&gt;
      <username>test&lt;/username&gt;
      <password>test&lt;/password&gt;
    &lt;/httpCredentials&gt;
  &lt;/literal&gt;
  <requestassignment="s1">
    <verb>NEW&lt;/verb&gt;
    <identifier>active:httpState&lt;/identifier&gt;
    <argumentname="credentials">this:credentials&lt;/argument&gt;
  &lt;/request&gt;
  <requestassignment="response">
    <identifier>active:httpGet&lt;/identifier&gt;
    <argumentname="url">http://browserspy.dk/password-ok.php&lt;/argument&gt;
    <argumentname="state">this:s1&lt;/argument&gt;
  &lt;/request&gt;
&lt;/sequence&gt;

works fine (I deliberately left the username and password in there as that site exists only to allow you to test the authentication).

I can run the above bit of DPML just fine, however when I modify it for the specific REST service that I'm trying to access, I get the "no credentials supplied" error I referred to in the original post (whether or not I add the <dereference> line). The only differences are:

  • I'm using a different host and port (the <host> line in the httpCredentials matches that in the URL)
  • The username and password are different, obviously
  • The URL in the httpGet block is enclosed in a CDATA block
  • The URL is https not http.

I wonder is it this last fact that's causing my issue.

Glenn.

Like · Post Reply
nk4um Moderator
Posts: 901
February 9, 2012 13:38

Hi Glenn - actually I now see the problem. The response from the NEW to active:httpState is an identifier in a String. This is the identifier of the new state resource (containing the credentials).

The httpGet request needs the identity of the state in its state argument - not the string value. To do this you would do the following...

<requestassignment="response">
  <identifier>active:httpGet&lt;/identifier&gt;
  <argumentname="url">long.get.url.with.params&lt;/argument&gt;
  <argumentname="state">
    <dereference>this:s1&lt;/dereference&gt;
  &lt;/argument&gt;
&lt;/request&gt;

Dereference is a built-in feature of DPML that converts a value to an identifier. Docs are here...

http://docs.netkernel.org/book/view/book:lang:dpml:book/doc:lang:dpml:guide:dereference

Like · Post Reply
nk4um Moderator
Posts: 901
February 9, 2012 13:29

Hi Glenn,

In the credentials - does the value you have for <host> match exactly the host part of the URL? The Apache http client uses a map to look up the credentials for a given host and so this (and port) must match exactly.

It negotiates the protocol - we've seen no problem with Basic before.

P.

Like · Post Reply
nk4um User
Posts: 39
February 9, 2012 13:00HTTP Basic authentication

I want to use NK (via active:httpGet initially) to access a URL which is behind an HTTP authentication layer. I can access the URL using curl like so:

curl -v --user "username:password" "https://long.get.url.with.params/"

The verbose output from curl shows that HTTP Basic authentication is being used, which is correct. The command above returns the response I expect from the REST service I'm accessing.

In my NK application I have some DPML which I think should do the same thing:

<sequence>
  <literalassignment="credentials" type="xml">
    <httpCredentials>
      <host>thehostname&lt;/host&gt;
      <port>theport&lt;/port&gt;
      <username>username&lt;/username&gt;
      <password>password&lt;/password&gt;
    &lt;/httpCredentials&gt;
  &lt;/literal&gt;
  <requestassignment="s1">
    <verb>NEW&lt;/verb&gt;
    <identifier>active:httpState&lt;/identifier&gt;
    <argumentname="credentials">this:credentials&lt;/argument&gt;
  &lt;/request&gt;
  <requestassignment="response">
    <identifier>active:httpGet&lt;/identifier&gt;
    <argumentname="url">long.get.url.with.params&lt;/argument&gt;
    <argumentname="state">this:s1&lt;/argument&gt;
  &lt;/request&gt;
&lt;/sequence&gt;

However I'm not sure that this is doing the authentication negotiation correctly as I get the following error:

Feb 09, 2012 7:51:54 AM org.apache.http.client.protocol.RequestTargetAuthentication process
SEVERE: Authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt))

I definitely don't want to be using Kerberos here! Is there a way to force it to use good ol' basic authentiaction?

Regards

Glenn.

Like · Post Reply