[
https://issues.apache.org/jira/browse/HTTPCLIENT-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16778162#comment-16778162
]
Cisto Cyriac commented on HTTPCLIENT-1970:
------------------------------------------
Thanks Micheal, Oleg & Julian for looking into this issue
If you use the following curl, you see that the credentials are not used in the
initial request and the server responds back with a challenge which includes
nonce and realm, then there a challenge response http request is sent with the
credentials and using the challenge response realm and nonce.
curl -v http://httpbin.org/digest-auth/auth/user/passwd --digest --user
user:passwd
> GET /digest-auth/auth/user/passwd HTTP/1.1
>
< HTTP/1.1 401 UNAUTHORIZED
< WWW-Authenticate: Digest realm="[email protected]",
nonce="9d7deec68836b472f389cc2a522bb9d0", qop="auth",
opaque="1d070b079ff8db61afa994657e46ad36", algorithm=MD5, stale=FALSE
....
GET /digest-auth/auth/user/passwd HTTP/1.1
> Authorization: Digest username="user", realm="[email protected]",
> nonce="9d7deec68836b472f389cc2a522bb9d0",
> uri="/digest-auth/auth/user/passwd",
> cnonce="OTUwNjI2YTAxMDBkNTc5OTZhZWU2MzEwNzY0ZTJkOGU=", nc=00000001, qop=auth,
> response="302046c897cf444e2946063527be7567",
> opaque="1d070b079ff8db61afa994657e46ad36", algorithm="MD5"
....
< HTTP/1.1 200 OK
< Content-Length: 47
...
<
{
"authenticated": true,
"user": "user"
}
With HttpClient 4.4.1, a similar behavior is observed as curl. However with
HttpClient 4.5.6 the 401 response with challenge is not processed when an
override nonce and realm is not provided. HTTPclient would return back a 401.
This can be reproduced by removing the digest authentication overrides for
realm and nonce in the following preemptive Auth test scenario.
https://hc.apache.org/httpcomponents-client-4.5.x/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java
My expectation is that if a request is provided with credentials then
HttpClient should be able to handle the challenge response when it gets a 401
response from the server with the nonce, realm, auth, etc provided in the
challenge response.
> HttpClient does not support (non preemptive) digest authentication
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-1970
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1970
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.6
> Reporter: Cisto Cyriac
> Priority: Major
>
> In HttpClient 4.5.6 the preemptive digest authentication works, however
> non-Preemptive digest authentication does not work. We found this issue when
> the HttpClient library was upgraded from 4.4.1 to 4.5.6.
> As per rfc2617 https://tools.ietf.org/html/rfc2617#section-3.2.1
> nonce is a server-specified data string which should be uniquely generated
> each time a 401 response is made.
> This issue can be reproduced by commenting out the following two digest
> authentication override parameters in the preemptive auth example in
> https://hc.apache.org/httpcomponents-client-4.5.x/httpclient/examples/org/apache/http/examples/client/ClientPreemptiveDigestAuthentication.java
>
> DigestScheme digestAuth = new DigestScheme();
> // Suppose we already know the realm name
> //digestAuth.overrideParamter("realm", "some realm");
> // Suppose we already know the expected nonce value
> //digestAuth.overrideParamter("nonce", "whatever");
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
