HttpClient (4.3.5)-HTTP authentication

HttpClient provides full, authentication schemes defined by the HTTP standard specification as well as a number Of widely used non-standard authentication schemes such as NTLM and SPNEGO.

User Credentials

Any process of the user authentication requires a set of credentials that can is used to establish user identity. The simplest form user credentials can be just a user Name/password pair. Usernamepasswordcredentials represents a set of credentials consisting of a security principal and a password in Clear text. This implementation was sufficient for standard authentication schemes defined by the HTTP standard specification.

New Usernamepasswordcredentials ("User", "pwd"); System.out.println (Creds.getuserprincipal (). GetName ()); System.out.println (Creds.getpassword ());

StdOut >

Userpwd

ntcredentials is a Microsoft Windows specific implementation This includes in addition to the user Name/passwor D pair a set of additional Windows specific attributes such as the name of the user domain. In a Microsoft Windows network, the same user can belong to multiple domains each with a different set of authorizations.

New Ntcredentials ("User", "pwd", "Workstation", "domain"); System.out.println (Creds.getuserprincipal (). GetName ()); System.out.println (Creds.getpassword ());

StdOut >

Domain/userpwd

Authentication schemes

The Authscheme interface represents an abstract Challenge-response oriented authentication scheme. An authentication scheme was expected to support the following functions:

• Parse and process the challenge sent by the target server in response to request for a protected resource.
• Provide properties of the processed Challenge:the authentication scheme type and its parameters, such the realm this auth Entication scheme is applicable to, if available
• Generate the authorization string for the given set of credentials and the HTTP request in response to the actual Authoriz ation Challenge.

Please note that authentication schemes is stateful involving a series of challenge-response exchanges.

HttpClient ships with several Authscheme implementations:

• basic: Basic authentication scheme as defined in RFC 2617. This authentication scheme is insecure, as the credentials was transmitted in clear text. Despite its insecurity Basic authentication scheme was perfectly adequate if used in combination with the Tls/ssl encryptio N.
• Digest: Digest authentication scheme as defined in RFC 2617. Digest authentication scheme is significantly more secure than Basic and can be a good choice for those applications that Do not want the overhead of full transport security through TLS/SSL encryption.
• NTLM: NTLM is a proprietary authentication scheme developed by Microsoft and optimized for Windows platforms. NTLM is believed to being more secure than Digest.
• SPNEGO: SPNEGO (Simple and Protected GSSAPI negotiation mechanism) is a gssapI "pseud o mechanism "that's used to negotiate one of a number of possible real mechanisms. SPNEGO ' s most visible use is in Microsoft's HTTP Negotiate authentication extension. The negotiable submechanisms include NTLM and Kerberos supported by Active Directory. At present HttpClient only supports the Kerberos sub-mechanism.
• Kerberos: Kerberos authentication implementation.

Credentials Provider

Credentials providers is intended to maintain a set of user Credentials and to being able to produce user Credentials for A particular authentication scope. Authentication scope consists of a host name, a port number, a realm name and an authentication scheme name. When registering credentials with the credentials provider one can provide a wild card (any host, any port, any realm, any Scheme) instead of a concrete attribute value. The credentials provider is then expected to being able to find the closest match for a particular scope if the direct match cannot be found.

HttpClient can work with any physical representation of a credentials provider that implements the Credentialsprovider interface. The default credentialsprovider implementation called Basiccredentialsprovider is a simple Implementation backed by a java.util.HashMap.

Credentialsprovider Credsprovider =NewBasiccredentialsprovider (); Credsprovider.setcredentials (NewAuthscope ("Somehost", Authscope.any_port),NewUsernamepasswordcredentials ("U1", "P1")); Credsprovider.setcredentials (NewAuthscope ("Somehost", 8080),         NewUsernamepasswordcredentials ("U2", "P2")); Credsprovider.setcredentials (NewAuthscope ("Otherhost", 8080, Authscope.any_realm, "NTLM"),        NewUsernamepasswordcredentials ("U3", "P3")); System.out.println (Credsprovider.getcredentials (NewAuthscope ("Somehost", "Realm", "basic"))); System.out.println (Credsprovider.getcredentials (NewAuthscope ("Somehost", 8080, "realm", "basic"))); System.out.println (Credsprovider.getcredentials (NewAuthscope ("Otherhost", 8080, "realm", "basic"))); System.out.println (Credsprovider.getcredentials (NewAuthscope ("Otherhost", 8080,NULL, "NTLM")));

StdOut >

[PRINCIPAL:U1] [PRINCIPAL:U2]NULL[PRINCIPAL:U3]

HTTP Authentication and execution Context

HttpClient relies on theauthstateclass to keep track of detailed information on the state of the authentication process.HttpClient creates-instances of authstate in the course of HTTP request Execution:one for target host AU Thentication and another one for proxy authentication.In case the target server or the proxy require user authentication the respectiveAuthscopeInstance'll be populated with theAuthscope,AuthschemeandcrednetialsUsed during the authentication process. TheauthstateCan is examined in order to find out what kind of authentication is requested, whether a matchingAuthschemeImplementation was found and whether the credentials provider managed to find user credentials for the given Authenticatio n Scope.

In the course of HTTP request Execution HttpClient adds the following authentication related objects to the execution cont Ext

• Lookup instance representing the actual authentication scheme registry. The value of this attribute set in the local context takes precedence over the default one.
• Credentialsprovider instance representing the actual credentials provider. The value of this attribute set in the local context takes precedence over the default one.
• Authstate instance representing the actual target authentication state. The value of this attribute set in the local context takes precedence over the default one.
• Authstate instance representing the actual proxy authentication state. The value of this attribute set in the local context takes precedence over the default one.
• Authcache instance representing the actual authentication data cache. The value of this attribute set in the local context takes precedence over the default one.

The local HttpContext object can be used to customize the HTTP authentication context prior to request execution, Or to examine it state after the request has been executed:

Closeablehttpclient httpclient = <...>Credentialsprovider Credsprovider= <...>Lookup<AuthSchemeProvider> authregistry = <...>Authcache Authcache= <...>Httpclientcontext Context=httpclientcontext.create (); Context.setcredentialsprovider (Credsprovider); Context.setauthschemeregistry ( Authregistry); Context.setauthcache (Authcache); HttpGet HttpGet=NewHttpGet ("http://somehost/"); Closeablehttpresponse response1=Httpclient.execute (httpget, context);<...>authstate proxyauthstate=context.getproxyauthstate (); System.out.println ("Proxy Auth State:" +proxyauthstate.getstate ()); System.out.println ("Proxy Auth scheme:" +proxyauthstate.getauthscheme ()); System.out.println ("Proxy Auth Credentials:" +proxyauthstate.getcredentials ()); Authstate targetauthstate=context.gettargetauthstate (); System.out.println ("Target Auth State:" +targetauthstate.getstate ()); System.out.println ("Target Auth scheme:" +targetauthstate.getauthscheme ()); System.out.println ("Target Auth Credentials:" + targetauthstate.getcredentials ());

Caching of authentication Data

As of version 4.1 HttpClient automatically caches information about the hosts it had successfully authenticated with. Please note this one must use the same execution context to execute logically related requests in order for cached authent Ication data to propagate from one request to another. Authentication data is lost as soon as the execution context goes out of scope.

Preemptive authentication

HttpClient does not preemptive authentication out of the box, because if misused or used incorrectly the Preemptiv E authentication can leads to significant security issues, such as sending user credentials in clear text to an unauthorize D Third party. Therefore, users expected to evaluate potential benefits of preemptive authentication versus security risks in the con Text of their specific application environment.

Nonetheless one can configure HttpClient to authenticate preemptively by prepopulating the authentication data cache.

Closeablehttpclient httpclient = <...>httphost targethost=NewHttphost ("localhost", page, "http"); Credentialsprovider Credsprovider=NewBasiccredentialsprovider (); Credsprovider.setcredentials (NewAuthscope (Targethost.gethostname (), Targethost.getport ()),NewUsernamepasswordcredentials ("username", "password"));//Create Authcache InstanceAuthcache Authcache =NewBasicauthcache ();//Generate BASIC Scheme object and add it to the local auth cacheBasicscheme BasicAuth =Newbasicscheme (); Authcache.put (Targethost, BasicAuth);//Add Authcache to the execution contextHttpclientcontext context =httpclientcontext.create (); Context.setcredentialsprovider (Credsprovider); Context.setauthcache (AuthCache); HttpGet HttpGet=NewHttpGet ("/"); for(inti = 0; I < 3; i++) {closeablehttpresponse response=Httpclient.execute (Targethost, httpget, context); Try{httpentity entity=response.getentity (); } finally{response.close (); }}

HttpClient (4.3.5)-HTTP authentication