[GitHub] httpcomponents-client pull request #88: HTTPCLIENT-1855

Sun, 19 Nov 2017 11:12:48 -0800 

Github user agherardi commented on a diff in the pull request:

    
https://github.com/apache/httpcomponents-client/pull/88#discussion_r151874368
  
    --- Diff: 
httpclient5/src/main/java/org/apache/hc/client5/http/auth/AuthCache.java ---
    @@ -45,4 +45,8 @@
     
         void clear();
     
    +    boolean canCache(String name);
    +
    +    boolean needsUpdatingAfterReusing(String name);
    --- End diff --
    
    Yes. Consider the following scenario:
    
    - The auth cache contains a DigestScheme for host H, with nonce=N and nonce 
count=1
    - Thread A needs to send a request to host H. The thread retrieves the 
DigestScheme from the cache, increments nonce count to 2 and uses N to create 
an Authorization header for its HTTP request.
    - Thread B also needs to send a request to host H. If the cache returns the 
same DigestScheme, thread B creates an Authorization header for its HTTP 
request with nonce=N and nonce count=3.
    - If thread B sends its HTTP request before thread A sends its HTTP 
request, host H rejects thread B's request because the nonce count is 3 instead 
of 2.
    
    IMO, a DigestScheme needs to be removed from the cache until a response is 
received from the server, so that no other thread can use the same nonce. If a 
successful response is received from the server, the DigestScheme can be 
re-cached with an updated nonce count.
    
    I wrote a custom AuthCache that implements the behavior above. The cache 
stores AuthSchemes unserialized. The cost of un-caching and re-caching  
DigestSchemes for every message exchange is minimal, especially when  compared 
to the cost of a network roundtrip if the request needs to be resent due to the 
nonce count being out-of-sequence.
    
    The needsUpdatingAfterReusing method allowed me to implement the custom 
AuthCache, which is not part of this merge request. BasicAuthCache's 
implementation of needsUpdatingAfterReusing returns FALSE, so BasicAuthCache is 
not updated on very message exchange - which is what you want.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to