[jira] [Commented] (HTTPCLIENT-1451) HttpClient does not store response cookies on a 401

Sat, 29 Mar 2014 15:16:26 -0700 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13954471#comment-13954471
 ] 

Andrey K commented on HTTPCLIENT-1451:
--------------------------------------

This issue is huge issue in scenarios where client needs to auth against 
NTLM/Negotiate or similar connection-level authentications that go via load 
balancers that require cookies to maintain connection affinity. I was able to 
work around by reprocessing Set-Cookie in my Auth implementation and 
reattaching cookies in KeepAlive handler. Messy but otherwise the whole auth 
mechanism is worthless and just as Richard mentions above it requires to 
manually submit series of requests anticipating 401 and dealing with the auth 
headers. This doesn't appear to be an issue in version series 3 of the 
httpclient.

> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1451
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpAuth
>    Affects Versions: 4.3.2
>            Reporter: Richard Sand
>            Priority: Minor
>             Fix For: Future
>
>
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC 
> authentication. The server responds to the initial request with a 401 
> response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until 
> after it has completed the subsequent request with the Authorize header, but 
> the server rejects the authentication if the cookie is missing. 
> To work around this I had to disable the authentication capability in the 
> HttpClientContext and manually check for the 401 response code, and then send 
> a followup request with a manually set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup 
> request with credentials in response to a 401, the client should place the 
> cookies from the original response into the cookie store immediately, rather 
> than waiting for after the response to the credentials (the 2nd response).



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to