Community
Participate
Working Groups
When behind an authenticated http proxy two requests are sent for each file transfer, the first does not include credentials which causes a 407 (denied) response. The cause for this appears to be that by default the Apache HttpClient does not preemptively authenticate. ( http://hc.apache.org/httpclient-3.x/authentication.html#Preemptive_Authentication )
We will try to come up with a patch hoping to have it shipped in 3.6.
Created attachment 168391 [details] Enable pre-emptive authentication The patch enables preemptive authentication for HttpClient in HttpClientFileSystemBrowser and HttpClientRetrieveFileTransfer which applies to HEAD and GET requests.
Matthew...thanks for the patch. Adding Henrich for comment about potential interaction with newly changed proxy authentication handling or other regression. Matthew...do you know of any possible regressions resulting from use of httpClient.getParams().setAuthenticationPreemptive(true); Thanks and inadvance.
The change (should) only impact requests which have either server authentication, or proxy authentication associated with them. According to the HttpClient documentation if no credentials are provided to the client then having preemptive set has no impact. I tested the changes using a proxy with, and without authentication, I haven't yet tried a repository which requires authentication but I can set one up in a VM if there aren't any available.
(In reply to comment #4) > The change (should) only impact requests which have either server > authentication, or proxy authentication associated with them. According to the > HttpClient documentation if no credentials are provided to the client then > having preemptive set has no impact. > > I tested the changes using a proxy with, and without authentication, I haven't > yet tried a repository which requires authentication but I can set one up in a > VM if there aren't any available. Thanks for the info and testing. If you would test any any/all available environments it would be appreciated, as I/we are a little limited in test environments and have to depend upon community for testing for regression. I would like to get Henrich's comments...and testing in proxy environments that he has available as well before I release the patch to HEAD. I've applied in my local environment, and tested in my local environment with no problems. So I'm ready to release to HEAD as soon as we get some input from Henrich (Henrich has recently made significant changes to the proxy handling to deal with another issue, and I'm a little concerned that this fix could interact with those fixes). Again, thanks.
My main concern is how the patch interacts with HttpClientProxyCredentialProvider which is currently the way proxy credentials are made available to HttpClient. This interaction should be well understood, but at the moment I have not the time to look into that. HttpClientProxyCredentialProvider supports both NTLM credentials and normal HTTP credentials. At first glance it looks like the patch may interfere with NTLM proxy authentication. The HttpClientProxyCredentialProvider recognizes if the credentials are not accepted. Before this check was introduced this case was causing an endless retry loop so that ECF caller would not get control. The testing steps where I saw this problem are described in https://bugs.eclipse.org/bugs/show_bug.cgi?id=295030#c62 I believe cancel still worked in that scenario. Hoping this helps. Thank you, Henrich
Given that since the work on this bug ECF has moved to httpclient4/httpcomponents as the primary http filetransfer provider, I'm going to mark this bug as invalid. If there is more to do here, and resources available to do it, then please reopen.
