[jira] [Commented] (HTTPCLIENT-1970) HttpClient does not support (non preemptive) digest authentication

Tue, 26 Feb 2019 06:25:39 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16777968#comment-16777968
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-1970:
-----------------------------------------------

[~cistoc] I am not sure I understand the problem. Preemptive authentication 
with the DIGEST authentication scheme is not possible given the 
challenge-response based design of the scheme as per RFC 2617 you have quoted. 

HttpClient used to allow DIGEST authentication state caching but cached schemes 
had been found prone to race conditions and caching of Digest authentication 
state was removed in 4.5.4. For details see HTTPCLIENT-1855.

Oleg

> HttpClient does not support (non preemptive) digest authentication 
> -------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1970
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1970
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.6
>            Reporter: Cisto Cyriac
>            Priority: Major
>
> In HttpClient 4.5.6 the preemptive digest authentication works, however 
> non-Preemptive digest authentication does not work.  We found this issue when 
> the HttpClient library was upgraded from 4.4.1 to 4.5.6.  
> As per  rfc2617  https://tools.ietf.org/html/rfc2617#section-3.2.1
> nonce  is a server-specified data string which should be uniquely generated 
> each time a 401 response is made.
> This issue can  be reproduced by commenting out the following two digest 
> authentication override parameters in the preemptive auth example in 
> https://hc.apache.org/httpcomponents-client-4.5.x/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java
>  
> DigestScheme digestAuth = new DigestScheme();
> // Suppose we already know the realm name
> //digestAuth.overrideParamter("realm", "some realm");
> // Suppose we already know the expected nonce value
> //digestAuth.overrideParamter("nonce", "whatever");



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to