[
https://issues.apache.org/jira/browse/HTTPCLIENT-1855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16197105#comment-16197105
]
Alessandro Gherardi commented on HTTPCLIENT-1855:
-------------------------------------------------
> What should HttpClient be doing differently?
It's a performance problem.
The sample app HttpClient5Digest.java sends 3 requests to the server. I
expected httpclient to use the same server-provided nonce on all 3 requests,
each time incrementing the nonce counter nc by 1. That is the case for the 1st
and 2nd request, which have nc=1 and nc=2, respectively. For the 3rd request,
httpclient sends nc=2 again, instead of nc=3. This results in the server
rejecting the request - since the server has already received a request for
that nonce with nc=2 - and responding with an HTTP 401 with a new challenge and
nonce. This causes httpclient to have to resend the 3rd request with a
different (and this time correct) authorization header.
I copy-and-pasted the Authorization headers from the log - notice the 2nd and
3rd headers both having nonce=eafa1174b88ee53b85744f2c8f6f7307 and nc=00000002:
{code}
Authorization: Digest username="admin", realm="Sarix",
nonce="eafa1174b88ee53b85744f2c8f6f7307", uri="/control/SoftwareUpdate-1",
response="067deae08d92d60ef44b0f6a044700dc", qop=auth-int, nc=00000001,
cnonce="103ca2350da1ca4a", algorithm=MD5
Authorization: Digest username="admin", realm="Sarix",
nonce="eafa1174b88ee53b85744f2c8f6f7307", uri="/control/StreamDiscovery-1",
response="d5ebfb273477ec64c4a76d790648bf34", qop=auth-int, nc=00000002,
cnonce="103ca2350da1ca4a", algorithm=MD5
Authorization: Digest username="admin", realm="Sarix",
nonce="eafa1174b88ee53b85744f2c8f6f7307", uri="/control/SoftwareUpdate-1",
response="1f12344c596fd3dd7f1af3f56697d537", qop=auth-int, nc=00000002,
cnonce="103ca2350da1ca4a", algorithm=MD5
Authorization: Digest username="admin", realm="Sarix",
nonce="20e689c2d679afbee962e69595a5da77", uri="/control/SoftwareUpdate-1",
response="5da037b112721b2c56596098c5932343", qop=auth-int, nc=00000001,
cnonce="384513b98a74bbb4", algorithm=MD5
{code}
> Digest auth: Nonce counter not incremented after reuse
> ------------------------------------------------------
>
> Key: HTTPCLIENT-1855
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.2
> Reporter: Alessandro Gherardi
> Assignee: Oleg Kalnichevski
> Fix For: 4.5.4, 4.6 Alpha1
>
> Attachments: HttpClient5Digest.java, HttpClientDigest.java,
> httpclient5.log, wireshark.txt
>
>
> I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and
> BasicAuthCache. and web server that requires HTTP digest authentication.
> The client sends 3 requests to the web server.
> When the app sends the first request, the server returns an HTTP 401 with a
> digest challenge. httpclient automatically retries the request with the
> Authorization header. The header contains the nonce returned by the server
> and a nonce counter (nc) of 1. The retry succeeds and httpclient caches the
> DigestScheme.
> For the second request, httpclient uses the cached DigestScheme to calculate
> the Authorization header pre-emptively. The header contains the same nonce
> and specifies a nonce counter of 2. The request succeed without requiring a
> retry.
> For the third request, httpclient uses the cached DigestScheme to calculate
> the Authorization header pre-emptively. Even though the header contains the
> same nonce, the nonce counter is set to 2 again. This causes the server to
> return a 401. httpclient should have incremented the nonce counter to 3.
> I believe that the root cause of this problem is that, although DigestScheme
> increases the nonceCount field every time the authenticate() method is
> called, HttpAuthenticator does not re-cache DigestScheme after reusing it.
> The re-cache is needed because BasicAuthCache stores DigestScheme in
> serialized format.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
