[
https://issues.apache.org/jira/browse/HTTPCLIENT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944143#comment-13944143
]
Sebb commented on HTTPCLIENT-1489:
----------------------------------
What about commas in quoted strings? AFAICT commas are allowed there.
And parsing quoted strings is not trivial either as it seems they can contain
doubled quotes.
It looks like you can define your own AuthenticationStrategy, so you could
subclass TargetAuthenticationStrategy and override the getChallenges method.
If you know you are only going to have to deal with relatively simple lists of
changes, it would probably be easy enough to do the splitting yourself.
But as far as I can tell, in general it is not going to be trivial to split the
header value into multiple challenges.
> Multiple, comma-separated challenges in WWW-Authenticate are not recognized
> ---------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1489
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1489
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.3.3
> Reporter: bitfire
> Labels: authentication, parsing
> Fix For: 4.4 Final
>
>
> As per RFC 2616, WWW-Authenticate may contain more than one challenge:
> »User agents are advised to take special care in parsing the WWW-
> Authenticate field value as it might contain more than one challenge, or if
> more than one WWW-Authenticate header field is provided, the contents of a
> challenge itself can contain a comma-separated list of authentication
> parameters.« [https://tools.ietf.org/html/rfc2616#section-14.47]
> For instance, https://contacts.icloud.com returns such a WWW-Authenticate
> header:
> > GET / HTTP/1.1
> > Host: contacts.icloud.com
> > Accept: */*
> >
> < HTTP/1.1 401 Unauthorized
> < ...
> < WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic
> realm="Newcastle"
> The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the Basic
> challenge is not. HttpClient logs when sending a GET request to
> https://contacts.icloud.com:
> [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
> [DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
> [DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID:
> d1d0aa7d-d651-4da2-be9f-595f1619db85
> [DEBUG] headers - http-outgoing-0 << X-Responding-Instance:
> carddav:12100701:st13p21ic-quav11230703:8001:14B52:125783
> [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthToken
> realm="Newcastle", Basic realm="Newcastle"
> [DEBUG] headers - http-outgoing-0 << Content-Length: 0
> [DEBUG] MainClientExec - Connection can be kept alive indefinitely
> [DEBUG] HttpAuthenticator - Authentication required
> [DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authentication
> [INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthToken
> realm="Newcastle", Basic realm="Newcastle"
> [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of
> preference: [negotiate, Kerberos, NTLM, Digest, Basic]
> [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication
> scheme not available
> The Basic auth challenge is NOT recognized!
> Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges
> iterates through the WWW-Authenticate HEADERS but doesn't take account that a
> single header may contain multiple challenges.
> How to fix:
> Split and parse the WWW-Authenticate header correctly in
> org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
