[
https://issues.apache.org/jira/browse/HTTPCLIENT-1451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15356665#comment-15356665
]
Loic edited comment on HTTPCLIENT-1451 at 6/30/16 7:42 AM:
-----------------------------------------------------------
This is a real big problem with this excellent http client, even with a server
simple as a SpringSecurity application with Waffle for Windows SSO,
*WinHttpClient* is unable to authenticate just because *MainClientExec* do not
send Cookie with the Authorization header.
If you look at the behavior of Chrome, Firefox, Safari and even IE, they all
send Cookie on subsequant call if Set-Cookie is present on 401 response during
challenging authentication.
We need at least an elegant way to trade with this situation. I will take a
look at the workaround above.
Best regards,
Loïc
PS: It's working great with the workaround, thanks [~miken] !
was (Author: loic oudot):
This is a real big problem with this excellent http client, even with a server
simple as a SpringSecurity application with Waffle for Windows SSO,
*WinHttpClient* is unable to authenticate just because *MainClientExec* do not
send Cookie with the Authorization header.
If you look at the behavior of Chrome, Firefox, Safari and even IE, they all
send Cookie on subsequant call if Set-Cookie is present on 401 response during
challenging authentication.
We need at least an elegant way to trade with this situation. I will take a
look at the workaround above.
Best regards,
Loïc
> HttpClient does not store response cookies on a 401
> ---------------------------------------------------
>
> Key: HTTPCLIENT-1451
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1451
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpAuth
> Affects Versions: 4.3.2
> Reporter: Richard Sand
> Priority: Minor
> Fix For: 5.0
>
>
> Using HttpClient 4.3.2 to call a Web Service which is secured with BASIC
> authentication. The server responds to the initial request with a 401
> response but also includes a cookie.
> The HttpClient does not place response cookies into the cookie store until
> after it has completed the subsequent request with the Authorize header, but
> the server rejects the authentication if the cookie is missing.
> To work around this I had to disable the authentication capability in the
> HttpClientContext and manually check for the 401 response code, and then send
> a followup request with a manually set Authorize header.
> So in the use case where the HttpClient is automatically sending a followup
> request with credentials in response to a 401, the client should place the
> cookies from the original response into the cookie store immediately, rather
> than waiting for after the response to the credentials (the 2nd response).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
