Jetty Logo
Version: 9.4.29.v20200521
Contact the core Jetty developers at

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development

Authentication Support

Jetty’s HTTP client supports the BASIC and DIGEST authentication mechanisms defined by RFC 7235.

You can configure authentication credentials in the HTTP client instance as follows:

URI uri = new URI("");
String realm = "MyRealm";
String user = "username";
String pass = "password";

// Add authentication credentials
AuthenticationStore auth = httpClient.getAuthenticationStore();
auth.addAuthentication(new BasicAuthentication(uri, realm, user, pass));

ContentResponse response = httpClient
        .get(5, TimeUnit.SECONDS);

Jetty’s HTTP client tests authentication credentials against the challenge(s) the server issues (see our section here on secure password obfuscation), and if they match it automatically sends the right authentication headers to the server for authentication. If the authentication is successful, it caches the result and reuses it for subsequent requests for the same domain and matching URIs.

The HTTP conversation for a successful match is the following:

Application  HttpClient                     Server
     |           |                             |
     |--- GET ---|------------ GET ----------->|
     |           |                             |
     |           |<-- 401 + WWW-Authenticate --|
     |           |                             |
     |           |--- GET + Authentication --->|
     |           |                             |
     |<-- 200 ---|------------ 200 ------------|

The application does not receive events related to the response with code 401, they are handled internally by HttpClient which produces a request similar to the original but with the correct Authorization header, and then relays the response with code 200 to the application.

Successful authentications are cached, but it is possible to clear them in order to force authentication again:


Authentications may be preempted to avoid the additional roundtrip due to the server challenge in this way:

AuthenticationStore auth = httpClient.getAuthenticationStore();
URI uri = URI.create("");
auth.addAuthenticationResult(new BasicAuthentication.BasicResult(uri, "username", "password"));

In this way, requests for the given URI are enriched by HttpClient immediately with the Authorization header, and the server should respond with a 200 and the resource content rather than with the 401 and the challenge.

It is also possible to preempt the authentication for a single request only, in this way:

URI uri = URI.create("");
Authentication.Result authn = new BasicAuthentication.BasicResult(uri, "username", "password")
Request request = httpClient.newRequest(uri);

See also the proxy authentication section for further information about how authentication works with HTTP proxies.

See an error or something missing? Contribute to this documentation at Github!(Generated: 2020-05-21)