Re: Progress of HTTPCLIENT-1625/open questions

Tue, 07 Apr 2015 04:23:42 -0700 

Am 2015-04-07 um 12:04 schrieb Oleg Kalnichevski:

On Mon, 2015-04-06 at 22:15 +0200, Michael Osipov wrote:

Am 2015-04-06 um 18:12 schrieb Oleg Kalnichevski:

On Mon, 2015-04-06 at 16:26 +0200, Michael Osipov wrote:

Hi folks,

I have finally started coding of that issue. While I was able to write a
working prototype within an hour authenticating against Apache Tomcat
and Apache Web Server, an issue arose I am not really clear about:

Is a credentials provider always necessary for a target host?


Yes, it is.


Thanks, that did the trick!


In other
words, do I always need something like this:
CredentialsProvider p = new BasicCredentialsProvider();
p.setCredentials(AuthScope.ANY, new
UsernamePasswordCredentials("mumu:mumu"));
builder.setDefaultCredentialsProvider(p);

Although the credential is by default obtained at runtime?
I have noticed that authentication is not executed if no cred provider
is set and the logs are not very chatty about that.



This whole concept of the auth APIs goes back to the days of HC 2.0 and
it remained virtually unchanged in HC 3.x and HC 4.x. The auth APIs were
primarily designed to work well with standard auth schemes like BASIC
and DIGEST and similar password based auth schemes. Things like Kerberos
and native Windows auth were not properly factored it at that point of
time. We can think of a better abstraction for HC 5, but for now we will
have to live with what we have.


I'll keep that in mind.

While I have gained some progress now, the client is not behaving the
way I expect it. The AuthScheme impl is called, sends the first token
which is accepted by the server and the response token is sent. That is,
unfortunately, completely ignored. The HttpAuthenticator says
"Authentication succeeded" and ignores #isConnetionBased and
#isCompleted. Here is a wire log:

Requesting: http://server.company.net:8080/manager/html
[main] DEBUG org.apache.http.client.protocol.RequestAddCookies -
CookieSpec selected: default
[main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth
cache not set in the context
[main] DEBUG
org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
Connection request: [route: {}->http://server.company.net:8080][total
kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[main] DEBUG
org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
Connection leased: [id: 0][route:
{}->http://server.company.net:8080][total kept alive: 0; route
allocated: 1 of 2; total allocated: 1 of 20]
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening
connection {}->http://server.company.net:8080
[main] DEBUG
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator -
Connecting to server.company.net/1.2.3.4:8080
[main] DEBUG
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator -
Connection established 2.3.4.5:44647<->1.2.3.4:8080
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing
request GET /manager/html HTTP/1.1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth
state: UNCHALLENGED
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth
state: UNCHALLENGED
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET
/manager/html HTTP/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
server.company.net:8080
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection:
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent:
Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
[main] DEBUG org.apache.http.headers - http-outgoing-0 >>
Accept-Encoding: gzip,deflate
[main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 401
Unauthorized
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Server:
Apache-Coyote/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control:
private
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu,
01 Jan 1970 01:00:00 CET
[main] DEBUG org.apache.http.headers - http-outgoing-0 <<
WWW-Authenticate: Negotiate
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type:
text/html;charset=utf-8
[main] DEBUG org.apache.http.headers - http-outgoing-0 <<
Content-Length: 974
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06
Apr 2015 19:43:27 GMT
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection
can be kept alive indefinitely
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
Authentication required
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
server.company.net:8080 requested authentication
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
Authentication schemes in the order of preference: [Negotiate, Kerberos,
NTLM, Digest, Basic]
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
Challenge for Kerberos authentication scheme not available
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
Challenge for NTLM authentication scheme not available
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
Challenge for Digest authentication scheme not available
[main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy -
Challenge for Basic authentication scheme not available
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected
authentication options: [NEGOTIATE]
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing
request GET /manager/html HTTP/1.1
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth
state: CHALLENGED
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating
response to an authentication challenge using Negotiate scheme
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using
HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting
GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2)
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for
target host with SPN '[email protected]' created
[main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context
establishment is in progress
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth
state: UNCHALLENGED
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET
/manager/html HTTP/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host:
server.company.net:8080
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection:
Keep-Alive
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent:
Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76)
[main] DEBUG org.apache.http.headers - http-outgoing-0 >>
Accept-Encoding: gzip,deflate
[main] DEBUG org.apache.http.headers - http-outgoing-0 >> Authorization:
Negotiate YIIYwwYGKwY...
[main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 OK
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Server:
Apache-Coyote/1.1
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Cache-Control:
private
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Expires: Thu,
01 Jan 1970 01:00:00 CET
[main] DEBUG org.apache.http.headers - http-outgoing-0 <<
WWW-Authenticate: Negotiate oYHtMIHqoAM...


Oh, Holy Mother. WWW-Authenticate in a 200 response? Really?
Absolutely, it can happen on any response code, at least 2xx and 3xx because HTTP is crappy for that. The token you see in the mutual response token from the server which NTLM for example does not have. Type 2 message reponds with a 401. That is the reason why NTLM works in HttpClient. I consider every module for SPNEGO and Kerberos in HttpClient as not working and not usable.
In theory, authentication has to be completed before application protocol starts. This is how SASL does it and others. HTTP is unlucky here.
Here is a better example from our corporate Subversion server on Apache Web Server: 

Requesting: https://server.company.net/repos/svn/X2TC
[main] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://server.company.net:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 2][route: {s}->https://server.company.net:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20] [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://server.company.net:443 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to server.company.net/<server IP>:443 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Connecting socket to server.company.net/<server IP>:443 with timeout 0 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1] [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure session established [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated protocol: TLSv1 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer principal: CN=server.company.net, C=DE, O=... [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - issuer principal: CN=... [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established <server IP>:44700<-><server IP>:443 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /repos/svn/X2TC HTTP/1.1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: SUCCESS [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED [main] DEBUG org.apache.http.headers - http-outgoing-2 >> GET /repos/svn/X2TC HTTP/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Host: server.company.net [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-2 >> User-Agent: Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Accept-Encoding: gzip,deflate [main] DEBUG org.apache.http.headers - http-outgoing-2 << HTTP/1.1 401 Authorization Required [main] DEBUG org.apache.http.headers - http-outgoing-2 << Date: Mon, 06 Apr 2015 19:47:28 GMT [main] DEBUG org.apache.http.headers - http-outgoing-2 << Server: Apache/2.2.29 (FreeBSD) SVN/1.8.11 PHP/5.4.38 mod_ssl/2.2.29 OpenSSL/1.0.2a DAV/2 [main] DEBUG org.apache.http.headers - http-outgoing-2 << WWW-Authenticate: Negotiate [main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Length: 553 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Keep-Alive: timeout=5, max=1000 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Type: text/html; charset=iso-8859-1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 5000 MILLISECONDS [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Authentication required [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - server.company.net:443 requested authentication [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Authentication schemes in the order of preference: [Negotiate, Kerberos, NTLM, Digest, Basic] [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Kerberos authentication scheme not available [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for NTLM authentication scheme not available [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Digest authentication scheme not available [main] DEBUG org.apache.http.impl.client.TargetAuthenticationStrategy - Challenge for Basic authentication scheme not available [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Selected authentication options: [NEGOTIATE] [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /repos/svn/X2TC HTTP/1.1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: CHALLENGED [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Generating response to an authentication challenge using Negotiate scheme [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Using HttpContext org.apache.http.client.protocol.HttpClientContext@cc357d [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - Starting GSS-based authentication for scheme 'Negotiate' (1.3.6.1.5.5.2) [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context for target host with SPN '[email protected]' created [main] DEBUG org.apache.http.impl.auth.GSSBasedScheme - GSS context establishment is in progress [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED [main] DEBUG org.apache.http.headers - http-outgoing-2 >> GET /repos/svn/X2TC HTTP/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Host: server.company.net [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-2 >> User-Agent: Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Accept-Encoding: gzip,deflate [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Authorization: Negotiate YIIYwwYGKwYBBQUCoIIYtz... [main] DEBUG org.apache.http.headers - http-outgoing-2 << HTTP/1.1 301 Moved Permanently [main] DEBUG org.apache.http.headers - http-outgoing-2 << Date: Mon, 06 Apr 2015 19:47:29 GMT [main] DEBUG org.apache.http.headers - http-outgoing-2 << Server: Apache/2.2.29 (FreeBSD) SVN/1.8.11 PHP/5.4.38 mod_ssl/2.2.29 OpenSSL/1.0.2a DAV/2 [main] DEBUG org.apache.http.headers - http-outgoing-2 << WWW-Authenticate: Negotiate oYGgMIGdoAMKAQCh... [main] DEBUG org.apache.http.headers - http-outgoing-2 << Location: https://server.company.net/repos/svn/X2TC/ [main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Length: 410 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Keep-Alive: timeout=5, max=999 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Type: text/html; charset=iso-8859-1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 5000 MILLISECONDS [main] DEBUG org.apache.http.impl.auth.HttpAuthenticator - Authentication succeeded [main] DEBUG org.apache.http.impl.client.DefaultRedirectStrategy - Redirect requested to location 'https://server.company.net/repos/svn/X2TC/' [main] DEBUG org.apache.http.impl.execchain.RedirectExec - Resetting target auth state [main] DEBUG org.apache.http.impl.execchain.RedirectExec - Redirecting to 'https://server.company.net/repos/svn/X2TC/' via {s}->https://server.company.net:443 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 2][route: {s}->https://server.company.net:443] can be kept alive for 5.0 seconds [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 2][route: {s}->https://server.company.net:443][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20] [main] DEBUG org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: default [main] DEBUG org.apache.http.client.protocol.RequestAuthCache - Auth cache not set in the context [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://server.company.net:443][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20] [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 2][route: {s}->https://server.company.net:443][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20] [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /repos/svn/X2TC/ HTTP/1.1 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED [main] DEBUG org.apache.http.headers - http-outgoing-2 >> GET /repos/svn/X2TC/ HTTP/1.1 [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Host: server.company.net [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-2 >> User-Agent: Apache-HttpClient/UNAVAILABLE (Java/1.7.0_76) [main] DEBUG org.apache.http.headers - http-outgoing-2 >> Accept-Encoding: gzip,deflate 
[main] DEBUG org.apache.http.headers - http-outgoing-2 << HTTP/1.1 200 OK
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Date: Mon, 06 Apr 2015 19:47:29 GMT [main] DEBUG org.apache.http.headers - http-outgoing-2 << Server: Apache/2.2.29 (FreeBSD) SVN/1.8.11 PHP/5.4.38 mod_ssl/2.2.29 OpenSSL/1.0.2a DAV/2 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Last-Modified: Thu, 02 Apr 2015 09:12:12 GMT 
[main] DEBUG org.apache.http.headers - http-outgoing-2 << ETag: W/"1063//"
[main] DEBUG org.apache.http.headers - http-outgoing-2 << Accept-Ranges: bytes [main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Length: 730 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Keep-Alive: timeout=5, max=998 [main] DEBUG org.apache.http.headers - http-outgoing-2 << Connection: Keep-Alive [main] DEBUG org.apache.http.headers - http-outgoing-2 << Content-Type: text/html; charset=UTF-8 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection can be kept alive for 5000 MILLISECONDS 
<...response body...>
[main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 2][route: {s}->https://server.company.net:443] can be kept alive for 5.0 seconds [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 2][route: {s}->https://server.company.net:443][total kept alive: 1; route allocated: 1 of 2; total allocated: 1 of 20] [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection manager is shutting down [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-2: Close connection [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-2: Close connection [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection manager shut down
GET, 401, GET with token, 301 with token, redirected GET, 200. The server persists the auth on the connection. 


[main] DEBUG org.apache.http.headers - http-outgoing-0 << Connection: close
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Set-Cookie:
JSESSIONID=190AF68553CDB68F46FCB330D4A2CC61; Path=/manager; HttpOnly
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Content-Type:
text/html;charset=utf-8
[main] DEBUG org.apache.http.headers - http-outgoing-0 <<
Transfer-Encoding: chunked
[main] DEBUG org.apache.http.headers - http-outgoing-0 <<
Content-Encoding: gzip
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Vary:
Accept-Encoding
[main] DEBUG org.apache.http.headers - http-outgoing-0 << Date: Mon, 06
Apr 2015 19:43:27 GMT
[main] DEBUG org.apache.http.impl.auth.HttpAuthenticator -
Authentication succeeded
[main] DEBUG org.apache.http.client.protocol.ResponseProcessCookies -
Cookie accepted [JSESSIONID="190AF68553CDB68F46FCB330D4A2CC61",
version:0, domain:server.company.net, path:/manager, expiry:null]
[...response body...]
[main] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-0: Shutdown connection
[main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection
discarded
[main] DEBUG
org.apache.http.impl.conn.DefaultManagedHttpClientConnection -
http-outgoing-0: Close connection
[main] DEBUG
org.apache.http.impl.conn.PoolingHttpClientConnectionManager -
Connection released: [id: 0][route:
{}->http://server.company.net:8080][total kept alive: 0; route
allocated: 0 of 2; total allocated: 0 of 20]

My IN_PROGRESS case is never triggered and the response token is not
read by #parseChallenge.

While I do not intend to debug all necessary auth code, I highly suspect
that the client does not call the AuthScheme impl just because the
server responses with 200 OK along with the token.

Edit: I did a quick hack
AuthenticationStrategyImpl#isAuthenticationRequested to accept 200 OK
too and it did continue auth and completes the context but the response
is completely discarded and another request is issued.

Any ideas?



I see no way around adding something hideous like that to
HttpAuthenticator#isAuthenticationRequested

---
if (authState.getAuthScheme() instanceof SPNegoScheme) {
     final SPNegoScheme spNegoScheme = (SPNegoScheme)
authState.getAuthScheme();
     final Header header =
response.getFirstHeader(spNegoScheme.isProxy() ? AUTH.PROXY_AUTH :
AUTH.WWW_AUTH);
     if (header != null) {
         try {
             spNegoScheme.processChallenge(header);
         } catch (MalformedChallengeException ignore) {
         }
     }
}
I fear that this is not enough because it does not suffice to process the challenge but after that AuthScheme#authenticate must be called to continue the context. If you say that #processChallange takes in tokens from the server and #authenticate responds to the server, I have to rethink about my code/approach. All current schemes are structured the way I have written the new code. 

Somewhat a deadend which has not been designed the way needed in HttpClient.

Michael


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to