[
https://issues.apache.org/jira/browse/HTTPCLIENT-1855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16248738#comment-16248738
]
Alessandro Gherardi commented on HTTPCLIENT-1855:
-------------------------------------------------
{quote}
There are better ways of achieving the same goal, for instance, by making
DigestScheme instances share some common structure.
{quote}
I have a preliminary question: Are you planning on implementing the approach
above? If yes, I'll stop bugging you and look forward
to your implementation. If not and you'd like for me to try and implement this,
I need some guidance.
I believe we agree that reusing HttpContexts across multiple execution threads
would require the application to implement a
HttpContext cache, and that's not an ideal option.
If multiple execution threads use different HttpContexts, pre-emptive digest
authentication requires the DigestScheme to be cached.
So rolling back
https://github.com/apache/httpcomponents-client/commit/9368c5f5c830e3c57c8a0e4f2183b4165f0fe056
and
https://github.com/apache/httpcomponents-client/commit/1383e1f781012e767c0cc811aeef77e28264682d
is a prerequisite. Do you agree?
Please let me know.
> Digest auth: Nonce counter not incremented after reuse
> ------------------------------------------------------
>
> Key: HTTPCLIENT-1855
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.2
> Reporter: Alessandro Gherardi
> Attachments: HttpClient5Digest.java, HttpClientDigest.java,
> httpclient5.log, wireshark.txt
>
>
> I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and
> BasicAuthCache. and web server that requires HTTP digest authentication.
> The client sends 3 requests to the web server.
> When the app sends the first request, the server returns an HTTP 401 with a
> digest challenge. httpclient automatically retries the request with the
> Authorization header. The header contains the nonce returned by the server
> and a nonce counter (nc) of 1. The retry succeeds and httpclient caches the
> DigestScheme.
> For the second request, httpclient uses the cached DigestScheme to calculate
> the Authorization header pre-emptively. The header contains the same nonce
> and specifies a nonce counter of 2. The request succeed without requiring a
> retry.
> For the third request, httpclient uses the cached DigestScheme to calculate
> the Authorization header pre-emptively. Even though the header contains the
> same nonce, the nonce counter is set to 2 again. This causes the server to
> return a 401. httpclient should have incremented the nonce counter to 3.
> I believe that the root cause of this problem is that, although DigestScheme
> increases the nonceCount field every time the authenticate() method is
> called, HttpAuthenticator does not re-cache DigestScheme after reusing it.
> The re-cache is needed because BasicAuthCache stores DigestScheme in
> serialized format.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
