[
https://issues.apache.org/jira/browse/HTTPCLIENT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13628923#comment-13628923
]
F Carlsen commented on HTTPCLIENT-1338:
---------------------------------------
Upgraded to 4.2.4 but it has the same issue.
> Caching of digest credentials broken when server expires nonce (regression
> bug)
> --------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1338
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1338
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.2.3
> Reporter: F Carlsen
> Labels: digest, performance
> Fix For: 4.3 Beta2
>
> Attachments: 4.1.3.txt, 4.2.3.txt
>
>
> In 4.2.3 caching of digest authentication is broken after server issues new
> nonce.
> By default (when using a new local HttpContext for each request) the client
> will receive a 401 before every successful 200. To avoid this, the
> HttpContext must be reused between requests. This initializes the AuthCache
> and creates 1 DigestScheme instance, and subsequent requests will be
> "pre-authenticated" based on the first returned nonce from the server. One
> will then get one 401 first with server issued nonce, then subsequent
> requests will make use of this nonce to authenticate and avoid superfluous
> 401s. As the BasicHttpContext is not thread-safe it must be cached by thread
> if the client can issue requests on multiple threads.
> So far so good,
> However, when the server issues a new nonce (after it perhaps has expired or
> maybe been reverse proxied over to a different server instance) then it
> doesn't cache the updated nonce, but we end up trying to reuse the old one as
> long as we reuse an AuthCache. So caching the nonce from the server only
> works for a short while until the server decideds to change it, and
> thereafter it is back to getting a 401 for every request first before it
> succeeds.
> This happens because when it fails after nonce is expired it creates a new
> DigestScheme instance inside the TargetAuthenticationStrategy, but this new
> instance is only cached for the ongoing request (until 200 received) and
> afterwards discarded, while the reused HttpContext now has an AuthCache which
> references the old DigestScheme with the original nonce from the server. On
> subsequent tries we then end up reusing an old DigestScheme instance with an
> out-of-date nonce, but have no way detecting that the nonce was updated as
> this takes place wholly inside AbstractHttpClient, and it creates a new
> DigestScheme which isn't set in the reused HttpContext.
> The result is a performance issue, as it then has to issue two http calls for
> every request to succeed, even though the credentials provided are cached and
> available on the client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
