[jira] [Commented] (HTTPCLIENT-2414) Wrong path prefix caching in BasicAuth

Sat, 14 Feb 2026 10:32:48 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18058677#comment-18058677
 ] 

ASF subversion and git services commented on HTTPCLIENT-2414:
-------------------------------------------------------------

Commit 9cc45f6c67864ec53f2284d16e77872851e25e87 in httpcomponents-client's 
branch refs/heads/5.6.x from Arturo Bernal
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=9cc45f6c6 ]

HTTPCLIENT-2414 - Fix Basic auth cache scoping across path prefixes (#802)

Preserve AuthExchange pathPrefix on reset to avoid preemptive Authorization 
reuse outside the protection space.


> Wrong path prefix caching in BasicAuth
> --------------------------------------
>
>                 Key: HTTPCLIENT-2414
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2414
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 5.7-alpha1
>            Reporter: Roland Praml
>            Priority: Major
>             Fix For: 5.6.1, 5.7-alpha1
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> We noticed, that the HttpClient does not properly cache the authentications, 
> when changing paths.
>  
> The [https://datatracker.ietf.org/doc/html/rfc7617#section-2.2] says, that 
> you can reuse credentials, when you are authenticated to the path prefix 
> before.
> This does not work in all cases.
> *How to reproduce*
> Take the {{testBasicAuthenticationCredentialsCachingByPathPrefix}} test and 
> modify it:
> {code:java}
> ...
>   for (final String requestPath : new String[]\{"/blah/a", "/blubb/b"}) {
> ...
>   Assertions.assertEquals(Arrays.asList(401, 200, 401, 200) // fails with 
> 401,200, 200
> {code}
> The expectation is, that you get a 401+200 for {{/blah/a}} and a 401+200 for 
> {{/blubb/b}}.
> But for the second call, the credentials are sent, without checking the 
> path-prefix and we get a 401,200 - 200 pattern.
> I've tracked down this a bit and see, that the {{AuthExchange.pathPrefix}} is 
> cleared in the {{reset()}} method.
> Note: When accessing {{/blah/a}} two times in a row, everything works as 
> expected. The second access to {{/blah/a}} fixes the cached value:
> {code:java}
> ...
>   for (final String requestPath : new String[]\{"/blah/a", "/blah/a", 
> "/blubb/b"}) {
> ...
>   Assertions.assertEquals(Arrays.asList(401, 200, 200, 401, 200) // this will 
> work
> {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to