[jira] [Commented] (HTTPCLIENT-1451) HttpClient does not store response cookies on a 401

Fri, 24 Jan 2014 10:06:08 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13881218#comment-13881218
 ] 

Richard Sand commented on HTTPCLIENT-1451:
------------------------------------------

Hi Oleg- the web service is a commercial product, CA SiteMinder. It issues
the cookie with the 401 just as a (very) rudimentary mechanism to prevent
unsolicited authentication requests. The cookie doesn't actually convey any
data, it's just a state mechanism. I still believe the client should be able
to handle it but I can see it both ways. Anyway thanks for replying, feel
free to mark the case as (distant) future or wont-fix.

Best regards,

Richard Sand | CEO
IDF Connect, Inc.
2207 Concord Ave, #359
Wilmington | Delaware 19803 | USA
Office: +1 888 765 1611 | Fax: +1 866 765 7284
Mobile: +1 267 984 3651





> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1451
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.3.2
>            Reporter: Richard Sand
>            Priority: Minor
>
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC 
> authentication. The server responds to the initial request with a 401 
> response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until 
> after it has completed the subsequent request with the Authorize header, but 
> the server rejects the authentication if the cookie is missing. 
> To work around this I had to disable the authentication capability in the 
> HttpClientContext and manually check for the 401 response code, and then send 
> a followup request with a manually set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup 
> request with credentials in response to a 401, the client should place the 
> cookies from the original response into the cookie store immediately, rather 
> than waiting for after the response to the credentials (the 2nd response).



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to