[
https://issues.apache.org/jira/browse/HTTPCLIENT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
F Carlsen updated HTTPCLIENT-1338:
----------------------------------
Attachment: 4.2.3.txt
In 4.2.3 it fails (see after request #108 in attached log).
Request #123 is the subsequent request from the same thread as #108. Notice
how the client sends the same nonce in both cases, even though the server told
it to use a different nonce.
#108
Client Sends -> Authorization: Digest username="admin", realm="ard-test-realm",
nonce="nX4TpLLo4Teyb9/j4Y8mIwZqb3l7FcYa",
uri="http://localhost:10080/ard/service/ardServer";,
response="f47c96fd92c541bd96b88bdcf07e6a74", qop=auth, nc=0000001c,
cnonce="c08824524f883ebd", algorithm="MD5"
Server responds <- WWW-Authenticate: Digest realm="ard-test-realm",
domain="/ard", nonce="PtIh3EfN3OW9pVCOfb0Xyf7Zz6F0/1tN", algorithm=MD5,
qop="auth", stale=true
... other threads ...
#123
Client Sends -> Authorization: Digest username="admin", realm="ard-test-realm",
nonce="nX4TpLLo4Teyb9/j4Y8mIwZqb3l7FcYa",
uri="http://localhost:10080/ard/service/ardServer";,
response="99830fc00447bd97da1153bcd54752c6", qop=auth, nc=0000001d,
cnonce="c08824524f883ebd", algorithm="MD5"
Server responds <- WWW-Authenticate: Digest realm="ard-test-realm",
domain="/ard", nonce="VzItzpHsTVqOQ0VYpdMqGsrKssDGsGQs", algorithm=MD5,
qop="auth", stale=true
> Caching of digest credentials broken when server expires nonce (regression
> bug)
> --------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1338
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1338
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.2.3
> Reporter: F Carlsen
> Labels: digest, performance
> Fix For: 4.3 Beta2
>
> Attachments: 4.1.3.txt, 4.2.3.txt
>
>
> In 4.2.3 caching of digest authentication is broken after server issues new
> nonce.
> By default (when using a new local HttpContext for each request) the client
> will receive a 401 before every successful 200. To avoid this, the
> HttpContext must be reused between requests. This initializes the AuthCache
> and creates 1 DigestScheme instance, and subsequent requests will be
> "pre-authenticated" based on the first returned nonce from the server. One
> will then get one 401 first with server issued nonce, then subsequent
> requests will make use of this nonce to authenticate and avoid superfluous
> 401s. As the BasicHttpContext is not thread-safe it must be cached by thread
> if the client can issue requests on multiple threads.
> So far so good,
> However, when the server issues a new nonce (after it perhaps has expired or
> maybe been reverse proxied over to a different server instance) then it
> doesn't cache the updated nonce, but we end up trying to reuse the old one as
> long as we reuse an AuthCache. So caching the nonce from the server only
> works for a short while until the server decideds to change it, and
> thereafter it is back to getting a 401 for every request first before it
> succeeds.
> This happens because when it fails after nonce is expired it creates a new
> DigestScheme instance inside the TargetAuthenticationStrategy, but this new
> instance is only cached for the ongoing request (until 200 received) and
> afterwards discarded, while the reused HttpContext now has an AuthCache which
> references the old DigestScheme with the original nonce from the server. On
> subsequent tries we then end up reusing an old DigestScheme instance with an
> out-of-date nonce, but have no way detecting that the nonce was updated as
> this takes place wholly inside AbstractHttpClient, and it creates a new
> DigestScheme which isn't set in the reused HttpContext.
> The result is a performance issue, as it then has to issue two http calls for
> every request to succeed, even though the credentials provided are cached and
> available on the client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
