I'm trying to get the three above working properly, and something is not clicking. Specifically, the authentication request is not being triggered when it appears it should be. According to what I've read here, the relevant pieces are:
- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
NSLog(#"protection space");
return [protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust];
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
NSLog(#"auth challenge");
NSInteger count = [challenge previousFailureCount];
if (count > 0)
NSLog(#"count > 0");
NSObject<ServiceDelegate> *delegate = [currentRequest delegate];
[[challenge sender] cancelAuthenticationChallenge:challenge];
if ([delegate respondsToSelector:#selector(wrapperHasBadCredentials:)])
[delegate rbService:self wrapperHasBadCredentials:self];
NSArray *trustedHosts = [[NSArray alloc] initWithObjects:#"myserver", nil];
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust])
NSLog(#"server trust");
if ([trustedHosts containsObject:challenge.protectionSpace.host])
[challenge.sender useCredential:[NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust] forAuthenticationChallenge:challenge];
[challenge.sender continueWithoutCredentialForAuthenticationChallenge:challenge];
NSURLCredential* credential = [[[NSURLCredential alloc] initWithUser:#"xxx" password:#"xxx" persistence:NSURLCredentialPersistenceForSession] autorelease];
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
The target server is set up for two URLS, one HTTPS and one HTTP, both of which prompt for username/password using basic authentication. I've checked the target server using firefox and everything seems to work as advertised. The target server uses an untrusted cert, but I thought I'd taken care of that in the code. Maybe not.
The specific behavior in the application:
When using HTTP the log reads:
log - protection space
(then returns 401 code)
When using HTTPS:
log - protection space
log - auth challenge
log - server trust
log - protection space
(then returns a 401 code)
In the first instance, it gets to the canAuthenticate... section, returns, but then doesn't challenge for the authentication, and returns a 401 response.
In the second instance, it does all that, actually does challenge, then goes to the canAuthenticate... section again, returns, and returns a 401 response.
Keep in mind that the request is a POST request, complete with headers and an HTTPBody. The authentication is not included in the headers (I would rather not do that), but if there is no other solution I will try things that way.
As always, thank you very much for the help. It's priceless.
It looks like the answer here has to be sending the authentication along with the POST request. I was thinking that the challenge/response process would somehow add those headers to the request by itself, but apparently not.
I am trying to implement Http Digest Authentication over SSL for one of my clients. I could not find any reference related to this. Is this possible to implement?
After several research, I found out that, iOS does not provide any such in built support for Http authentication over SSL, expect SOCKS. But if you are desperate to implement it, create a socket and do Digest/NTLM/... handshake your self and use the same socket to create Input/Output streams. As of now, this is the only way to do it.
However, for regular Http requests such as POST/GET/... you can use NSURLConnection class as following code to authenticate the servers.
- (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
NSLog(#"InShiva didReceiveAuthenticationChallenge") ;
if ([challenge previousFailureCount] == 0)
NSLog(#"received authentication challenge");
NSURLCredential *newCredential = [NSURLCredential credentialWithUser:#"username"
NSLog(#"credential created");
[[challenge sender] useCredential:newCredential forAuthenticationChallenge:challenge];
NSLog(#"responded to authentication challenge");
NSLog(#"previous authentication failure");
With AFNetworking I have successfully consumed https webservice with below code,
NSString *aStrServerUrl = WS_URL;
// Initialize AFHTTPRequestOperationManager...
AFHTTPRequestOperationManager *manager = [AFHTTPRequestOperationManager manager];
manager.requestSerializer = [AFJSONRequestSerializer serializer];
manager.responseSerializer = [AFJSONResponseSerializer serializer];
[manager.requestSerializer setValue:#"application/json" forHTTPHeaderField:#"Content-Type"];
manager.securityPolicy.allowInvalidCertificates = YES;
[manager POST:aStrServerUrl parameters:parameters success:^(AFHTTPRequestOperation *operation, id responseObject)
successBlock(operation, responseObject);
} failure:^(AFHTTPRequestOperation *operation, NSError *error)
errorBlock(operation, error);
Here's an issue: I need to implement both HTTP basic authorization and MS NTLM authorization. I use asynchronous NSURLConnection so I receive
-(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
callback. The full code of this method looks like that:
-(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
NSString* authMethod = [[challenge protectionSpace] authenticationMethod];
NSLog(#"Authentication method: %#", authMethod);
NSString *userName = self.login;
if ([authMethod isEqualToString:NSURLAuthenticationMethodNTLM]) {
userName = [userName lastElementAfterSlash];
else if ([authMethod isEqualToString:NSURLAuthenticationMethodNegotiate]) {
userName = [NSString stringWithFormat:#"%##%#", userName, self.url.host];
if ([challenge previousFailureCount] <= 1) {
NSURLCredential *credential = [NSURLCredential credentialWithUser:userName password:self.password persistence:NSURLCredentialPersistenceForSession];
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
NSURLProtectionSpace *protectionSpace = [[NSURLProtectionSpace alloc]
initWithHost:[self.url host]
realm:[self.url host]
[[NSURLCredentialStorage sharedCredentialStorage] setDefaultCredential:credential
else {
NSLog(#"Authentication error");
NSLog(#"Failed login with status code: %d", [(NSHTTPURLResponse*)[challenge failureResponse]statusCode]);
[[challenge sender] cancelAuthenticationChallenge:challenge];
The two global issues I've met so far using this method:
1) As per Charles sniffer, all the requests to the server are doubled (as per Apple Docs, it's an expected behaviour). However, it leads to lack of performance (two requests instead of just one) comparing to setting header directly, using setValue:forHTTPHeader:.
2) It's being called not for every request. For example, when I'm trying to grab an image from server, it returns 302 (redirect to login web page) HTTP code instead of 401 HTTP code, so this does not work at all.
What I want to accomplish, is to grab the correct Authorization header once and then put it manually in every subsequent NSMutableURLRequest I make. I can compose HTTP Basic authorization manually, it's pretty simple, but I can't compose NTLM header in the same manner, that's why I was relying on didReceiveAuthenticationChallenge: method.
Could you please point me out, how can I receive the Authorization header, that is set automatically by NSURLProtectionSpace, so each request will INITIALLY go authorized?
P.S. I tried to receive it from
[connection.currentRequest allHTTPHeaderFields];
but it returns an empty array. I'm fighting with that for more than two days, any help will be kindly appreciated!
