Alessandro Gherardi created HTTPCLIENT-1855:
-----------------------------------------------
Summary: Digest auth: Nonce counter not incremented after reuse
Key: HTTPCLIENT-1855
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Affects Versions: 4.5.2
Reporter: Alessandro Gherardi
I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and
BasicAuthCache. and web server that requires HTTP digest authentication.
The client sends 3 requests to the web server.
When the app sends the first request, the server returns an HTTP 401 with a
digest challenge. httpclient automatically retries the request with the
Authorization header. The header contains the nonce returned by the server and
a nonce counter (nc) of 1. The retry succeeds and httpclient caches the
DigestScheme.
For the second request, httpclient uses the cached DigestScheme to calculate
the Authorization header pre-emptively. The header contains the same nonce and
specifies a nonce counter of 2. The request succeed without requiring a retry.
For the third request, httpclient uses the cached DigestScheme to calculate the
Authorization header pre-emptively. Even though the header contains the same
nonce, the nonce counter is set to 2 again. This causes the server to return a
401. httpclient should have incremented the nonce counter to 3.
I believe that the root cause of this problem is that, although DigestScheme
increases the nonceCount field every time the authenticate() method is called,
HttpAuthenticator does not re-cache DigestScheme after reusing it. The re-cache
is needed because BasicAuthCache stores DigestScheme in serialized format.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
