[jira] [Created] (HTTPCLIENT-1637) HttpClient does not handle cookies during authentication

[Carsten Kaiser (JIRA)]

Carsten Kaiser created HTTPCLIENT-1637:
------------------------------------------

             Summary: HttpClient does not handle cookies during authentication
                 Key: HTTPCLIENT-1637
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1637
             Project: HttpComponents HttpClient
          Issue Type: Bug
          Components: HttpClient
    Affects Versions: 4.3.6
            Reporter: Carsten Kaiser


When upgrading from HTTPClient version 4.2.x to 4.3.6 we recognized that 
cookies are no longer handled during e.g. DIGEST authentication. This causes 
the authentication to fail in our cluster environment where a cookie is 
returned by the load balancer in front used to ensure that all request which 
are part of the DIGEST handshake will be routed to the same cluster instance 
(which is crucial for the handshake to succeed!). 

>From top of my head I remember to have seen a comment somewhere which stated 
>that cookies are assumed to be issued by a server after authentication 
>succeeded. 
>From our point of view this assumption is not valid as mentioned before.

As a workaround we registered a custom target authentication strategy 
implementation as follows:

{code}
        @Override
        public boolean isAuthenticationRequested(HttpHost authhost, 
HttpResponse response, HttpContext context) {
            final boolean isAuthenticationRequired = 
super.isAuthenticationRequested(authhost, response, context);

            if (isAuthenticationRequired) {
                // In case authentication is required store any cookies already 
set by the server in order to cope with
                // situations where the load balancer adds a cookie for the 
DIGEST authentication since the new HTTP
                // Client
                // library does not foresee this situation by default
                try {
                    new ResponseProcessCookies().process(response, context);

                    final HttpRequest request = (HttpRequest) 
context.getAttribute(HttpCoreContext.HTTP_REQUEST);

                    if (request != null) {
                        new RequestAddCookies().process(request, context);
                    }
                } catch (final Exception e) {
                    LOG.error("Custom handling of load balancer session cookies 
during authentication failed: "
                            + e.getMessage(), e);
                }
            }

            return isAuthenticationRequired;
        }
{code} 

which is more a kind of hack...

Please check whether it is possible to add support for cookies during 
authentication again so that we do not have to apply the workaround again for 
each new version.

Thank you!

Kind regards,
CAK



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org