Ralf Pöhlmann created HTTPCLIENT-1186:
-----------------------------------------
Summary: NTLM authenticated connections are mixed
Key: HTTPCLIENT-1186
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1186
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.1.3
Reporter: Ralf Pöhlmann
Priority: Critical
Executing multiple request using the same http context as recommended mixes
authenticated connections among different users.
If we execute two request usign the same context, the first request adds the
user token to the http context as well as to the connection properties. The
second request fins already a user token in the http context but if a new
connection will be created (no free connection in the pool) this new connection
is never assigned to an user token and is used independent of any user context!
see DefaultRequestDirector:
// See if we have a user token bound to the execution context
Object userToken = context.getAttribute(ClientContext.USER_TOKEN);
...
if (managedConn != null && userToken == null) {
userToken = userTokenHandler.getUserToken(context);
context.setAttribute(ClientContext.USER_TOKEN, userToken);
if (userToken != null) {
managedConn.setState(userToken);
}
}
and RouteSpecificPool:
public BasicPoolEntry allocEntry(final Object state) {
if (!freeEntries.isEmpty()) {
ListIterator<BasicPoolEntry> it =
freeEntries.listIterator(freeEntries.size());
while (it.hasPrevious()) {
BasicPoolEntry entry = it.previous();
if (entry.getState() == null || LangUtils.equals(state,
entry.getState())) {
it.remove();
return entry;
}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
