[
https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14291879#comment-14291879
]
Erik van Paassen edited comment on HTTPCLIENT-1451 at 1/26/15 2:31 PM:
-----------------------------------------------------------------------
I'm experiencing this same problem when authenticating with Microsoft Forefront
Threat Management Gateway. TMG sends a header to clear the session cookie along
with a 401 upon session expiration and it seems like it does not accept
credentials if the cookie is kept (this results in a 401 again).
What would be the suggested workaround to have HttpClient process response
cookies of a 401 response?
was (Author: evpaassen):
I'm experiencing this same problem when authenticating with Microsoft Forefront
Threat Management Gateway. TMG sends a header to clear the session cookie along
with a 401 upon session expiration and it seems like it does not accept
credentials if the cookie is kept (this results in a 401 again).
What would be the suggested workaround to have HttpClient processing response
cookies of a 401 response?
> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>
> Key: HTTPCLIENT-1451
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.3.2
> Reporter: Richard Sand
> Priority: Minor
> Fix For: 5.0
>
>
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC
> authentication. The server responds to the initial request with a 401
> response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until
> after it has completed the subsequent request with the Authorize header, but
> the server rejects the authentication if the cookie is missing.
> To work around this I had to disable the authentication capability in the
> HttpClientContext and manually check for the 401 response code, and then send
> a followup request with a manually set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup
> request with credentials in response to a 401, the client should place the
> cookies from the original response into the cookie store immediately, rather
> than waiting for after the response to the credentials (the 2nd response).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
