Volker Jung created HTTPCLIENT-1961:
---------------------------------------
Summary: Authentication ignores cookies
Key: HTTPCLIENT-1961
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1961
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic), HttpClient (Windows)
Affects Versions: 4.5.6
Reporter: Volker Jung
A cookie received in a 401 'Unauthorized' response does not get processed.
I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients.
The flow is as follows:
* The original request gets redirected (302 'Moved temporarily') to an URL of
an authentication service.
* The authentication service respondes with a 401 'Unauthorized' response,
containing the authentication challenge ('Negotiate' scheme) and a cookie with
a JSessionId.
* The HTTP-Client handles the authentication challenge, adding the
authentication response header, but does not process the cookie therefore not
adding the cookie to the response.
As a consequence, the authentication service does not handle the authentication
response and the connection is running into timeout.
As far as I understand the code, the problem might be that the authentication
handling is done solely in class 'MainClientExec', while the processing of
request- and response-interceptors takes place in 'ProtocolExec' which
decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing
cookies is done via aa response-interceptor, cookies of 401 'Unauthorized'
responses are never processed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
