[
https://issues.apache.org/jira/browse/HTTPCLIENT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13944150#comment-13944150
]
bitfire commented on HTTPCLIENT-1489:
-------------------------------------
{quote}What about commas in quoted strings? AFAICT commas are allowed
there.{quote}
Yes, commas are allowed, but only when quoted.
{quote}And parsing quoted strings is not trivial either as it seems they can
contain doubled quotes.{quote}
What do you mean by "doubled quotes"? Quotation chars in values MUST be escaped
to \" ("quoted-string" definition), so the syntax is unambiguous.
{quote}
It looks like you can define your own AuthenticationStrategy, so you could
subclass TargetAuthenticationStrategy and override the getChallenges method.
{quote}
I could. In fact, I could also force preemptive authentication (so the problem
doesn't even occur). But I'm not looking for a dirty workaround for my specific
project, but I want to contribute to a standards-compliant solution that may
also help others with the same problem.
{quote}
But as far as I can tell, in general it is not going to be trivial to split the
header value into multiple challenges.
{quote}
I don't think it's trivial, that's why I have suggested an algorithm above.
What's your opionion about it?
> Multiple, comma-separated challenges in WWW-Authenticate are not recognized
> ---------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1489
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1489
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.3.3
> Reporter: bitfire
> Labels: authentication, parsing
> Fix For: 4.4 Final
>
>
> As per RFC 2616, WWW-Authenticate may contain more than one challenge:
> »User agents are advised to take special care in parsing the WWW-
> Authenticate field value as it might contain more than one challenge, or if
> more than one WWW-Authenticate header field is provided, the contents of a
> challenge itself can contain a comma-separated list of authentication
> parameters.« [https://tools.ietf.org/html/rfc2616#section-14.47]
> For instance, https://contacts.icloud.com returns such a WWW-Authenticate
> header:
> > GET / HTTP/1.1
> > Host: contacts.icloud.com
> > Accept: */*
> >
> < HTTP/1.1 401 Unauthorized
> < ...
> < WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic
> realm="Newcastle"
> The X-MobileMe-AuthToken challenge is recognized by HttpClient, but the Basic
> challenge is not. HttpClient logs when sending a GET request to
> https://contacts.icloud.com:
> [DEBUG] headers - http-outgoing-0 << HTTP/1.1 401 Unauthorized
> [DEBUG] headers - http-outgoing-0 << Date: Fri, 21 Mar 2014 19:20:14 GMT
> [DEBUG] headers - http-outgoing-0 << X-Apple-Request-UUID:
> d1d0aa7d-d651-4da2-be9f-595f1619db85
> [DEBUG] headers - http-outgoing-0 << X-Responding-Instance:
> carddav:12100701:st13p21ic-quav11230703:8001:14B52:125783
> [DEBUG] headers - http-outgoing-0 << WWW-Authenticate: X-MobileMe-AuthToken
> realm="Newcastle", Basic realm="Newcastle"
> [DEBUG] headers - http-outgoing-0 << Content-Length: 0
> [DEBUG] MainClientExec - Connection can be kept alive indefinitely
> [DEBUG] HttpAuthenticator - Authentication required
> [DEBUG] HttpAuthenticator - contacts.icloud.com:443 requested authentication
> [INFO] TargetAuthenticationStrategy - GOT Auth header: X-MobileMe-AuthToken
> realm="Newcastle", Basic realm="Newcastle"
> [DEBUG] TargetAuthenticationStrategy - Authentication schemes in the order of
> preference: [negotiate, Kerberos, NTLM, Digest, Basic]
> [DEBUG] TargetAuthenticationStrategy - Challenge for negotiate authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Kerberos authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for NTLM authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Digest authentication
> scheme not available
> [DEBUG] TargetAuthenticationStrategy - Challenge for Basic authentication
> scheme not available
> The Basic auth challenge is NOT recognized!
> Reason: org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges
> iterates through the WWW-Authenticate HEADERS but doesn't take account that a
> single header may contain multiple challenges.
> How to fix:
> Split and parse the WWW-Authenticate header correctly in
> org.apache.http.impl.client.AuthenticationStrategyImpl:getChallenges
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
