[jira] [Commented] (HTTPCLIENT-1855) Digest auth: Nonce counter not incremented after reuse

[ASF subversion and git services (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16189463#comment-16189463
 ] 

ASF subversion and git services commented on HTTPCLIENT-1855:
-------------------------------------------------------------

Commit c82799f1eb29e3f74bac0c7be61c8f3e37d702e4 in httpcomponents-client's 
branch refs/heads/4.6.x from alessandro.gherardi
[ https://git-wip-us.apache.org/repos/asf?p=httpcomponents-client.git;h=c82799f 
]

HTTPCLIENT-1855: Update DIGEST nonce counter in auth cache after auth challenge


> Digest auth: Nonce counter not incremented after reuse
> ------------------------------------------------------
>
>                 Key: HTTPCLIENT-1855
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.2
>            Reporter: Alessandro Gherardi
>            Assignee: Oleg Kalnichevski
>             Fix For: 5.0 Alpha3
>
>         Attachments: HttpClientDigest.java, wireshark.txt
>
>
> I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and 
> BasicAuthCache. and web server that requires HTTP digest authentication. 
> The client sends 3 requests to the web server. 
> When the app sends the first request, the server returns an HTTP 401 with a 
> digest challenge. httpclient automatically retries the request with the 
> Authorization header. The header contains the nonce returned by the server 
> and a nonce counter (nc) of 1. The retry succeeds and httpclient caches the 
> DigestScheme.
> For the second request, httpclient uses the cached DigestScheme to calculate 
> the Authorization header pre-emptively. The header contains the same nonce 
> and specifies a nonce counter of 2. The request succeed without requiring a 
> retry.
> For the third request, httpclient uses the cached DigestScheme to calculate 
> the Authorization header pre-emptively. Even though the header contains the 
> same nonce, the nonce counter is set to 2 again. This causes the server to 
> return a 401. httpclient should have incremented the nonce counter to 3.
> I believe that the root cause of this problem is that, although DigestScheme 
> increases the nonceCount field every time the authenticate() method is 
> called, HttpAuthenticator does not re-cache DigestScheme after reusing it. 
> The re-cache is needed because BasicAuthCache stores DigestScheme in 
> serialized format.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org