rymsha
commented
2 years ago Authorization: Basic <credentials> header can do the trick without extra parameter
Closed rymsha closed 2 years ago
rymsha
commented
2 years ago Authorization: Basic <credentials> header can do the trick without extra parameter
rymsha
commented
2 years ago Will be done in #89
Currently client sends Basic Authorization header in every request. This is often desired behaviour (for instance GitHub always sends 404 instead of 401), but not the most secure one (one can use http-client towards server which supports http to https and miss severe security issue sending credentials openly)
This is exactly the case where simplicity hurts security. To address this we must introduce extra configuration step: a flag which is disabled by default
params.auth.preemptive = false. In this flag's documentation we must mention that extra care should be taken: one must at least verify that https protocol is specified in the url (this is not always sufficient though).More details for this can be found here https://hc.apache.org/httpclient-3.x/authentication.html#Preemptive_Authentication
Implementation details: with preemptive authentication off it will be at least two real http requests for every request. One to get 401 Unauthorized response and one more to do the real job authenticated. It definitely hurts performance and to avoid this successful authentications should be cashed in memory per base url. It would be good idea to invalidate cache if 401 is returned for cached authentication.
This is a breaking change which will most likely affect all usages of the library.