F Carlsen created HTTPCLIENT-1338:
-------------------------------------
Summary: Caching of digest credentials broken when server expires
nonce (regression bug)
Key: HTTPCLIENT-1338
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1338
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.2.3
Reporter: F Carlsen
In 4.2.3 caching of digest authentication is broken after server issues new
nonce.
By default (when using a new local HttpContext for each request) the client
will receive a 401 before every successful 200. To avoid this, the HttpContext
must be reused between requests. This initializes the AuthCache and creates 1
DigestScheme instance, and subsequent requests will be "pre-authenticated"
based on the first returned nonce from the server. One will then get one 401
first with server issued nonce, then subsequent requests will make use of this
nonce to authenticate and avoid superfluous 401s. As the BasicHttpContext is
not thread-safe it must be cached by thread if the client can issue requests on
multiple threads.
So far so good,
However, when the server issues a new nonce (after it perhaps has expired or
maybe been reverse proxied over to a different server instance) then it doesn't
cache the updated nonce, but we end up trying to reuse the old one as long as
we reuse an AuthCache. So caching the nonce from the server only works for a
short while until the server decideds to change it, and thereafter it is back
to getting a 401 for every request first before it succeeds.
This happens because when it fails after nonce is expired it creates a new
DigestScheme instance inside the TargetAuthenticationStrategy, but this new
instance is only cached for the ongoing request (until 200 received) and
afterwards discarded, while the reused HttpContext now has an AuthCache which
references the old DigestScheme with the original nonce from the server. On
subsequent tries we then end up reusing an old DigestScheme instance with an
out-of-date nonce, but have no way detecting that the nonce was updated as this
takes place wholly inside AbstractHttpClient, and it creates a new
DigestScheme which isn't set in the reused HttpContext.
The result is a performance issue, as it then has to issue two http calls for
every request to succeed, even though the credentials provided are cached and
available on the client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
