commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul C. Bryan" <>
Subject Re: [HttpClient] Support for Basic and Form-based authentication ?
Date Thu, 03 Jan 2002 23:23:32 GMT
Vincent Massol wrote:

> I think I agree with you ... ;-). Let's keep it outside of HttpClient
> (unless other chime in and think it should be in in which case we could
> reopen the discussion).


> However, what would be nice is to provide authentication interfaces so
> that it is possible for an application to plug in its own authentication
> scheme. 

I have implemented a number of authentication schemes around the 
HttpClient library -- for Lotus Domino, WebLogic and iPlanet Software. 
Domino and iPlanet were configured to use form-based authentication, 
while WebLogic was configured to use HTTP basic.

Unfortunately, my work was performed under contract, and I am not at 
liberty to disclose it, otherwise, I would have been happy to share it 
here as a reference.

Building custom authentication modules is relatively easy -- simply code 
that makes an HTTP request to a particular URL with parameters in the 
query string, and some simple code to verify whether the authentication 
was successful or not.

I can envision a library that wraps the HttpClient library to provide 
this feature, allowing the context of the resulting session to be 
represented through cookie(s) in the HttpState object. This would not be 
too complicated to implement.

> Do you know If this already exists ? If so, is there some documentation
> or could you explain in a few words how I would plug in my own
> authentication scheme ?

I'm not aware of any other implementations. Perhaps others may mention 
one here in this list.

Performing form-based authentication is as simple as establishing a 
connection to a server, making a request with the right credential 
parameters, and parsing the response to ensure successful 
authentication. If cookies are used for further session identification, 
the HttpClient will take care of the rest automagically.

HTTP basic authentication is even easier, because you simply set the 
credentials in the HttpState object before using it in a method (such as 
GetMethod). You can leave the HTTP credentials set in the HttpState 
object, which you should use in each subsequent request. If 
authentication fails, then it's evident in the response code.

Yours truly,

Paul C. Bryan <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message