1

I am trying to make a HTTPS-get request work in order to load a webpage wich has the url starting with "https:". I am using Indy10 (5248) with delphi 7. I don't seem to be able to get the authorization right, even using the same name/password or domain\name/password that I use in a browser. All I get is the same server response as if in the browser I would cancel the authentication request.

Now there are several ways to supply name/pwd:

  • they can be entered as property values in idHTTP.request
  • idem, in idHTTP.ProxyParams
  • idHTTP has a number of on...Authorization-events
  • a Post-example uses named parameters, but that seems to be specific for the google site it is trying to access (otherwise, how would I find out what the parameter names are..?)

In addition there are options. Even though there's a finite number of combinations, I haven't been able yet to find one working for me. What is the correct way of doing this?

s := IdHTTP1.Get('https://qwerty.wur.nl');
Memo1.Lines.Add(Format('Response Code: %d', [IdHTTP1.ResponseCode]));
Memo1.Lines.Add(Format('Response Text: %s', [IdHTTP1.ResponseText]));

Memo1.Lines.Add(s);
Community
  • 1
  • 1
user508402
  • 496
  • 1
  • 4
  • 19

2 Answers2

2

You don't need proxy params. Set IdHTTP1.Request.BasicAuthentication instead:

IdHTTP1.Request.BasicAuthentication:= true;
IdHTTP1.Request.UserName := UserName;
IdHTTP1.Request.Password := Password;

Be aware that you need to prepare your application and IdHTTP1 for SSL as explained here: Delphi: idHttp+SSL and here TIdHTTP.Get EIdIOHandlerPropInvalid Error

Community
  • 1
  • 1
Wosi
  • 41,986
  • 17
  • 75
  • 82
  • So, your suggestion is authentication through the Request. There must be something else to it too, for this is one of the variants I have tried (and rechecked now, with a 'fresh' idHTTP component). I think missing dlls make themselves known in a less ambiguous way (Could not load SSL library.). – user508402 Aug 18 '15 at 14:56
  • When you have HTTP authentication then you need to do it via `IdHTTP1.Request`. What kind of authentication do you have? What is the response that you receive? ResponseCode, ResponsMessage? – Wosi Aug 18 '15 at 15:28
  • 1. `BasicAuthentication=true` is not always the correct thing to use. It merely tells `TIdHTTP` that it can use `BASIC` authentication if no other authentication has been specified. Not all servers support `BASIC` as it is not secure. 2. See [New HTTPS functionality for TIdHTTP](http://indyproject.org/Sockets/Blogs/ChangeLog/20141222.aspx). – Remy Lebeau Aug 18 '15 at 15:53
  • The response is "401 - Unauthorized: Access is denied due to invalid credentials". I do not understand the question: What kind of authentication do you have? I have provided name and pwd to the request as suggested here, having BasicAuthentication alternating true and false. – user508402 Aug 18 '15 at 19:45
  • If there is no object assigned to the `TIdHTTP.Request.Authentication` property, and `TIdHTTP.Request.BasicAuthentication` is true, `TIdHTTP` will assign a default `TIdBasicAuthentication` object to the `Authentication` property. If `TIdHTTP.OnSelectAuthorization` is triggered, the `Authentication` property is assigned a new object of the selected `AuthenticationClass`. So, it is the `Authentication` object that decides which auth scheme to use to send credentials to the server in the HTTP `Authentication` header. It sounds like the server does not accept `BASIC` authentication. – Remy Lebeau Aug 18 '15 at 20:50
  • No, alas, after a lot of trying, I am giving up. It should be possible though, with NTLM-authentication ipWorks can do it. A code example might help. – user508402 Sep 01 '15 at 14:30
1

The correct way to specify HTTP authentication credentials in TIdHTTP is to use the TIdHTTP.Request properties. That is where TIdHTTP looks for them when starting a new authenticated session. If the server rejects/challenges the authentication, the OnSelectAuthorization and OnAuthorization events are triggered to allow the app to select a different authentication scheme and/or supply different credentials, respectively.

As for the POST example, it is posting an HTML webform, such as you would see on a website's login page. The parameters are determined by analyzing the HTML that defines the webform, just like a webbrowser would do. Webform authentication has nothing to do with HTTP authentication. The two are not mutually exclusive, they can be used together if the server decides to.

Community
  • 1
  • 1
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Thanks for confirmig what I suspected about the post-example. However: the server rejects the authentication it receives but neither OnSelectAuthorization nor OnAuthorization fires when BasicAuthentication is True; OnSelectAuthentication fires though when BasicAuthentication is False - should I react on that event? (AuthenticationClass is TIdSSPINTLMAuthentication). – user508402 Aug 18 '15 at 19:55
  • `On(Select)Authorization` is triggered when the server returns a 401 response, which presents the client with available auth schemes and challenge data so it can retry the request with a new/updated `Authentication` header. If the server returns a 403 response, authentication failed. So, it sounds like the server is returning 403 when `BasicAuthentication` is true. In `OnSelectAuthorization`, `AuthenticationClass` is initialized with Indy's selection based on available auth classes, but you can overwrite it with another auth class, as long as its scheme is listed in the `AuthInfo` parameter. – Remy Lebeau Aug 18 '15 at 20:45