[
https://issues.apache.org/jira/browse/HTTPCLIENT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122000#comment-13122000
]
Harald Kirsch commented on HTTPCLIENT-1129:
-------------------------------------------
Well, I am not the expert on kerberos and HTTP and all that, but from the groud
up, HTTP is stateless. Consequently the client must, in every request, send
authenticating information of some kind, or will get a 401.
When the client succeeds with authentication, it gets a redirect.
Then it sends a new GET to the redirect address, but as we see from the logs,
it does not send any authorization information. The header
Authorization: Negotiate YIIK7gYGK...
is *not* send, but I would expect this to be the case. Whether the same
authentication string is allowed for the now different URL is beyond my
knowledge.
Harald.
> Redirect and Kerberos authentication in conflict
> ------------------------------------------------
>
> Key: HTTPCLIENT-1129
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1129
> Project: HttpComponents HttpClient
> Issue Type: Wish
> Components: HttpClient
> Affects Versions: 4.1.2
> Reporter: Harald Kirsch
> Attachments: examples.txt, logFrom401Example.txt,
> this_also_works.log, this_works.log, wiresharkFrom401.txt
>
>
> We are using the HttpClient to connect to a Website that uses
> Kerberos-Authentication.
> Beware this trigger word: Kerberos! I think this is *not* the problem, but
> please read on.
> Here is the sequence of events:
> Client: GET /
> Server: Unauthorized.
> Client: GET / and includes authentication.
> Server: 302 to /something on the same host (this shows that in principle
> authentication works)
> Client: GET /something, does not include authentication
> Server: Unauthorized
> Client quits with 401-Unauthorized.
> I would have expected one of the following instead:
> 1) Client immediately sends authorization information with the redirected GET
> /something
> 2) Client re-requests the /something with authorization after
> 401-Unauthorized.
> We could get around the problem by setting the ConnectionReuseStrategy to a
> constant false.
> It would be great if someone could tell me if HttpClient works as expected or
> whether there is a bug or misconfiguration lurking.
> Thanks,
> Harald.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
