[
https://issues.apache.org/jira/browse/HTTPCLIENT-1855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16258136#comment-16258136
]
Oleg Kalnichevski commented on HTTPCLIENT-1855:
-----------------------------------------------
@[[email protected]] I have my hands full with 5.x development, so
I ideally I would like you to scratch your own itch. But I put together a patch
that should help you get going. Please have a look at
[935ddb935383083a50a65eb67cd889b6d0bcdb97|https://github.com/ok2c/httpclient/commit/935ddb935383083a50a65eb67cd889b6d0bcdb97].
It should resolve the problem with having to abuse auth state management logic
in order to trigger auth cache update on every request / response exchange. If
it looks reasonable to you I'll push it to the official master branch.
There is no need to revert anything because with
[d88e32f9525f36bbbb46dc212648fd484e70a072|https://github.com/apache/httpcomponents-client/commit/d88e32f9525f36bbbb46dc212648fd484e70a072]
one can annotate any arbitrary {{AuthScheme}} with {{@AuthStateCacheable}} to
make it cacheable.
Oleg
> Digest auth: Nonce counter not incremented after reuse
> ------------------------------------------------------
>
> Key: HTTPCLIENT-1855
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.2
> Reporter: Alessandro Gherardi
> Attachments: HttpClient5Digest.java, HttpClientDigest.java,
> httpclient5.log, wireshark.txt
>
>
> I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and
> BasicAuthCache. and web server that requires HTTP digest authentication.
> The client sends 3 requests to the web server.
> When the app sends the first request, the server returns an HTTP 401 with a
> digest challenge. httpclient automatically retries the request with the
> Authorization header. The header contains the nonce returned by the server
> and a nonce counter (nc) of 1. The retry succeeds and httpclient caches the
> DigestScheme.
> For the second request, httpclient uses the cached DigestScheme to calculate
> the Authorization header pre-emptively. The header contains the same nonce
> and specifies a nonce counter of 2. The request succeed without requiring a
> retry.
> For the third request, httpclient uses the cached DigestScheme to calculate
> the Authorization header pre-emptively. Even though the header contains the
> same nonce, the nonce counter is set to 2 again. This causes the server to
> return a 401. httpclient should have incremented the nonce counter to 3.
> I believe that the root cause of this problem is that, although DigestScheme
> increases the nonceCount field every time the authenticate() method is
> called, HttpAuthenticator does not re-cache DigestScheme after reusing it.
> The re-cache is needed because BasicAuthCache stores DigestScheme in
> serialized format.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
