[
https://issues.apache.org/jira/browse/HTTPCLIENT-1909?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johannes Stamminger updated HTTPCLIENT-1909:
--------------------------------------------
Description:
We fail to authenticate against a gateway requiring authentication and which is
tracking progress by way of setting and updating a session cookie even during
the authentication challenge:
* client GET to some url {{[https://a.b.c/]}}
** response:
302, redirect to {{[https://a.b.c/xyz]}}
set cookie X=1
* client GET to url {{https://a.b.c/xyz}}
]cookie X=1 transmitted
** response:
401, authentication required
set cookie X=2
* client GET to same url again
authentication transmitted
{color:#d04437}*cookie X=1*{color} transmitted again, should have been X=2
This is caused by actually processing the cookies only outside the
{{MainClientExec}}, by the calling {{ProtocolExec}}. But with receiving the
401, the loop in {{MainClientExec#execute(...)}} is not left but the request is
sent again with having only added the authentication header. The cookies having
received with the 401 response are dismissed.
Workaround (hack IMHO):
{code:java}
final TargetAuthenticationStrategy authStrategy = new
TargetAuthenticationStrategy() {
private final ResponseProcessCookies fResponseProcessCookies = new
ResponseProcessCookies();
private final RequestAddCookies fRequestAddCookies = new
RequestAddCookies();
@Override
public Map<String, Header> getChallenges(HttpHost authhost,
HttpResponse response,
HttpContext context) throws
MalformedChallengeException {
try {
fResponseProcessCookies.process(response, context);
final HttpClientContext clientContext =
HttpClientContext.adapt(context);
final HttpRequest request = clientContext.getRequest();
request.removeHeaders("Cookie");
fRequestAddCookies.process(request, context);
} catch (HttpException | IOException e) {
throw new MalformedChallengeException(e.getMessage(), e);
}
return super.getChallenges(authhost, response, context);
}
};
final CloseableHttpClient authClient = httpClientBuilder
.setTargetAuthenticationStrategy(authStrategy)
.build();
{code}
was:
We fail to authenticate against a gateway requiring authentication and which is
tracking progress by way of setting and updating a session cookie even during
the authentication challenge:
* client GET to some url {{[https://a.b.c/]}}
** response:
302, redirect to {{[https://a.b.c/xyz]}}
set cookie X=1
* client GET to url [https://a.b.c/xyz
]cookie X=1 transmitted
** response:
401, authentication required
set cookie X=2
* client GET to same url again
authentication transmitted
{color:#d04437}*cookie X=1*{color} transmitted again, should have been X=2
This is caused by actually processing the cookies only outside the
{{MainClientExec}}, by the calling {{ProtocolExec}}. But with receiving the
401, the loop in {{MainClientExec#execute(...)}} is not left but the request is
sent again with having only added the authentication header. The cookies having
received with the 401 response are dismissed.
Workaround (hack IMHO):
{code:java}
final TargetAuthenticationStrategy authStrategy = new
TargetAuthenticationStrategy() {
private final ResponseProcessCookies fResponseProcessCookies = new
ResponseProcessCookies();
private final RequestAddCookies fRequestAddCookies = new
RequestAddCookies();
@Override
public Map<String, Header> getChallenges(HttpHost authhost,
HttpResponse response,
HttpContext context) throws
MalformedChallengeException {
try {
fResponseProcessCookies.process(response, context);
final HttpClientContext clientContext =
HttpClientContext.adapt(context);
final HttpRequest request = clientContext.getRequest();
request.removeHeaders("Cookie");
fRequestAddCookies.process(request, context);
} catch (HttpException | IOException e) {
throw new MalformedChallengeException(e.getMessage(), e);
}
return super.getChallenges(authhost, response, context);
}
};
final CloseableHttpClient authClient = httpClientBuilder
.setTargetAuthenticationStrategy(authStrategy)
.build();
{code}
> Cookies received during authentication challenge not processed
> --------------------------------------------------------------
>
> Key: HTTPCLIENT-1909
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1909
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Affects Versions: 4.5.5
> Reporter: Johannes Stamminger
> Priority: Major
>
> We fail to authenticate against a gateway requiring authentication and which
> is tracking progress by way of setting and updating a session cookie even
> during the authentication challenge:
> * client GET to some url {{[https://a.b.c/]}}
> ** response:
> 302, redirect to {{[https://a.b.c/xyz]}}
> set cookie X=1
> * client GET to url {{https://a.b.c/xyz}}
> ]cookie X=1 transmitted
> ** response:
> 401, authentication required
> set cookie X=2
> * client GET to same url again
> authentication transmitted
> {color:#d04437}*cookie X=1*{color} transmitted again, should have been X=2
> This is caused by actually processing the cookies only outside the
> {{MainClientExec}}, by the calling {{ProtocolExec}}. But with receiving the
> 401, the loop in {{MainClientExec#execute(...)}} is not left but the request
> is sent again with having only added the authentication header. The cookies
> having received with the 401 response are dismissed.
>
> Workaround (hack IMHO):
> {code:java}
> final TargetAuthenticationStrategy authStrategy = new
> TargetAuthenticationStrategy() {
> private final ResponseProcessCookies fResponseProcessCookies = new
> ResponseProcessCookies();
> private final RequestAddCookies fRequestAddCookies = new
> RequestAddCookies();
> @Override
> public Map<String, Header> getChallenges(HttpHost authhost,
> HttpResponse response,
> HttpContext context) throws
> MalformedChallengeException {
> try {
> fResponseProcessCookies.process(response, context);
> final HttpClientContext clientContext =
> HttpClientContext.adapt(context);
> final HttpRequest request = clientContext.getRequest();
> request.removeHeaders("Cookie");
> fRequestAddCookies.process(request, context);
> } catch (HttpException | IOException e) {
> throw new MalformedChallengeException(e.getMessage(), e);
> }
> return super.getChallenges(authhost, response, context);
> }
> };
> final CloseableHttpClient authClient = httpClientBuilder
> .setTargetAuthenticationStrategy(authStrategy)
> .build();
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
