[
https://issues.apache.org/jira/browse/HTTPCLIENT-1961?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volker Jung updated HTTPCLIENT-1961:
------------------------------------
Description:
A cookie received in a 401 'Unauthorized' response does not get processed.
I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients.
The flow is as follows:
* The original request gets redirected (302 'Moved temporarily') to an URL of
an authentication service.
* The authentication service respondes with a 401 'Unauthorized' response,
containing the authentication challenge ('Negotiate' scheme) and a cookie with
a JSessionId.
* The HTTP-Client handles the authentication challenge, adding the
authentication response header, but does not process the cookie therefore not
adding the cookie to the response.
As a consequence, the authentication service does not handle the authentication
response and the connection is running into timeout.
As far as I understand the code, the problem might be that the authentication
handling is done solely in class 'MainClientExec', while the processing of
request- and response-interceptors takes place in 'ProtocolExec' which
decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing
cookies is done through interceptors (ResponseProcessCookies,
ResponseAddCookies), cookies of 401 'Unauthorized' responses are never
processed.
was:
A cookie received in a 401 'Unauthorized' response does not get processed.
I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients.
The flow is as follows:
* The original request gets redirected (302 'Moved temporarily') to an URL of
an authentication service.
* The authentication service respondes with a 401 'Unauthorized' response,
containing the authentication challenge ('Negotiate' scheme) and a cookie with
a JSessionId.
* The HTTP-Client handles the authentication challenge, adding the
authentication response header, but does not process the cookie therefore not
adding the cookie to the response.
As a consequence, the authentication service does not handle the authentication
response and the connection is running into timeout.
As far as I understand the code, the problem might be that the authentication
handling is done solely in class 'MainClientExec', while the processing of
request- and response-interceptors takes place in 'ProtocolExec' which
decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing
cookies is done via aa response-interceptor, cookies of 401 'Unauthorized'
responses are never processed.
> Authentication ignores cookies
> ------------------------------
>
> Key: HTTPCLIENT-1961
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1961
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic), HttpClient (Windows)
> Affects Versions: 4.5.6
> Reporter: Volker Jung
> Priority: Major
>
> A cookie received in a 401 'Unauthorized' response does not get processed.
> I am trying to get SSO (using 'Negotiate' scheme) working using
> WinHttpClients. The flow is as follows:
> * The original request gets redirected (302 'Moved temporarily') to an URL
> of an authentication service.
> * The authentication service respondes with a 401 'Unauthorized' response,
> containing the authentication challenge ('Negotiate' scheme) and a cookie
> with a JSessionId.
> * The HTTP-Client handles the authentication challenge, adding the
> authentication response header, but does not process the cookie therefore not
> adding the cookie to the response.
> As a consequence, the authentication service does not handle the
> authentication response and the connection is running into timeout.
> As far as I understand the code, the problem might be that the authentication
> handling is done solely in class 'MainClientExec', while the processing of
> request- and response-interceptors takes place in 'ProtocolExec' which
> decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing
> cookies is done through interceptors (ResponseProcessCookies,
> ResponseAddCookies), cookies of 401 'Unauthorized' responses are never
> processed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
