Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » U++ Library support » U++ MT-multithreading and servers » HttpRequest : Add custon authentication capability
HttpRequest : Add custon authentication capability [message #46243] Fri, 01 April 2016 18:26 Go to next message
omari is currently offline  omari
Messages: 264
Registered: March 2010
Experienced Member
Hi,

i im trying to use NTLM authentication with HttpRequest,

for NTLM, i note the following particularity:
- Use 3 "GET" request.
- Keep connection alive between at least the lasts tow request.
- Use DES encryption.

After analysis of the used authentication mechanism in HttpRequest, I propose the following patch:

1 - remove the member variable "force_diget" et "digest"
2 - add a new memerer variable String "autheticate_header"
3 - in the void HttpRequest::StartRequest(), replace :
	if(!IsNull(digest))
		data << "Authorization: Digest " << digest << "\r\n";
	else
	if(!force_digest && (!IsNull(username) || !IsNull(password)))
		data << "Authorization: Basic " << Base64Encode(username + ":" + password) << "\r\n";


by
	data << autheticate_header;


4 - change 401 error management, in void HttpRequest::Finish(), replace :
	if(status_code == 401 && !IsNull(username)) {
		String authenticate = header["www-authenticate"];
		if(authenticate.GetCount() && redirect_count++ < max_redirects) {
			LLOG("HTTP auth digest");
			Digest(CalculateDigest(authenticate));
			Start();
			return;
		}
	}



by

	if(status_code == 401) {
		
		String authenticate = header["www-authenticate"];
		if(authenticate.GetCount() && redirect_count++ < max_redirects) {
			if(!IsNull(username) || !IsNull(password)) {
			
				if(authenticate.StartsWith("Basic"))
				{
					autheticate_header = "Authorization: Basic " + Base64Encode(username + ":" + password)+ "\r\n";
				}
				else
				if(authenticate.StartsWith("Digest"))
				{
					LLOG("HTTP auth digest");
					autheticate_header = "Authorization: Digest " + CalculateDigest(authenticate) + "\r\n";
				}
				else
				{
					WhenAuthentication(*this);
				}
			}
			else {
				WhenAuthentication(*this);
			}
			
			if(keep_alive)
				StartRequest();
			else
				Start();

			return;
		}
	}



5 - WhenAuthentication is declared as:
	Callback1<HttpRequest&>		WhenAuthentication;



6 - Add a mehode void ForceBasic(String user, String pw)
	void ForceBasic(String user, String pw) {autheticate_header << "Authorization: Basic " << Base64Encode(user + ":" + pw) << "\r\n";}



with this patch, a custom Authentication function can be added :

void Autenticate(HttpRequest& http)
{
	String www_authenticate = http.GetHeader("www-authenticate");
	if(!www_authenticate.StartsWith("NTLM"))
	{
		return;
	}
	//...
}
...
HttpReqest r;
r.WhenAuthentication = callback(Autenticate);



regards
omari.

[Updated on: Sat, 09 April 2016 17:25]

Report message to a moderator

Re: HttpRequest : Add custon authentication capability [message #46282 is a reply to message #46243] Thu, 07 April 2016 23:03 Go to previous messageGo to next message
mirek is currently offline  mirek
Messages: 13975
Registered: November 2005
Ultimate Member
Sounds like a good idea. I do not have energy to check this now, but I promise to incorporate this ASAP.
Re: HttpRequest : Add custon authentication capability [message #46326 is a reply to message #46282] Tue, 19 April 2016 13:05 Go to previous messageGo to next message
mirek is currently offline  mirek
Messages: 13975
Registered: November 2005
Ultimate Member
Something along these lines is now implemented.

I really did not liked "ForceBasic" - that is changing current behavior.

Digest authentication is now implemented through new interface just as "default callback", so I hope what I have done will be good for NTLM as well.

That said, if you succeed, I would like to have NTLM AT LEAST in bazaar, but maybe directly in HttpRequest...

(Check docs for details).

Mirek
Re: HttpRequest : Add custon authentication capability [message #46329 is a reply to message #46326] Thu, 21 April 2016 17:32 Go to previous messageGo to next message
omari is currently offline  omari
Messages: 264
Registered: March 2010
Experienced Member
I would be happy to contribute to U++.

mirek wrote on Tue, 19 April 2016 12:05

I really did not liked "ForceBasic" - that is changing current behavior.


in the current behavior, Basic Authentication is used without explicit action from user.
for security purpose, i think that the default shall be "No Basic Authentication", and need an explicit action from user, at least if there is no SSL.


regards
omari.
Re: HttpRequest : Add custon authentication capability [message #46333 is a reply to message #46329] Fri, 22 April 2016 09:39 Go to previous message
mirek is currently offline  mirek
Messages: 13975
Registered: November 2005
Ultimate Member
Well, that is not entirely true - to get basic authentication, you need to define user/password. At that point, it is similar to setting "ForceBasic".
Previous Topic: Multithread and INTERLOCK
Next Topic: [FIXED]HttpRequest hangs when Chunked response, without trailer, and KeepAlive is set. (patch & TC)
Goto Forum:
  


Current Time: Thu Mar 28 13:32:13 CET 2024

Total time taken to generate the page: 0.00998 seconds