commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <>
Subject Re: JJar via authenticating proxy
Date Mon, 03 Jun 2002 11:49:23 GMT
On 6/3/02 7:22 AM, "Ross Gardler" <> wrote:

> (copied back to jakarta-commons in case anywone there has a better idea)

I assume that you didn't guess I sent it privately for a reason?
I didn't want there to be any expectation of delivery, as I have an awful
track record lately on this...

But I am working to use for a client, so I expect it'll roll soon.


> Geir Magnusson Jr. wrote:
>>> Is it possible to use the JJar ANT task via an authenticating proxy?
>>> It works fine through a non-authenticating proxy using the
>>> http.proxyHost and http.proxyPort system properties, but with an
>>> authenticating proxy a 407 (authentication failure) is returned.
>> Working on JJAR now, and will be posting code back to commons in the next
>> week or so.
>> How would this work?  How do you specify the auth info?
> This issue has come about on the Centipede build system which uses JJar
> (
> The following code snippet illustrates how to connet to an
> authenticating server:


That is what I thought - the standard HTTP basic auth stuff.  I have the
same code elsewhere I can roll in.

> 1. Put the username and password in the ANT build file and pass them to
> the JJAR test
> 2. Have ant ask for the username and password interactively and pass the
> values to the JJAR task
> 3. Define our own System propoerties to hold the username and password
> and have JJAR extract them from there
> 1 & 3 have a problem in that we either have to force the user to encode
> the values before setting them or we create a security problem by
> storing them unencoded.

Well, uuencoding doesn't make anything secret, just gibberish at first
glance.  And since we would be sending what is effectively cleartext
> 2 is perhaps the best. We could set a property in the build file
> indicating whether we are connecting through an authenticating proxy or
> not, thus prompting the user for username and password. Furthermore,
> using this method we allow the user to decide if they want to store the
> username/password in the build file and thus prevent the need to type
> them each time.
> What do you think?

The problem with 2 is that it doesn't work for anything automated - for
example a build system that is run automatically for testing would need to
have the values somewhere.

I think what we need is to give people the choice - one option to specify
the values like #1, and one for #2, so if you want to keep it secret and do
interactively, you can.

Since we are talking about a security system that does everything in
cleartext, doing something fancier doesn't make sense at first.

Geir Magnusson Jr.
Research & Development, Adeptra Inc.

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message