Re: CONNECT over SSL with HttpClient 3.0

Tue, 28 Feb 2006 14:27:19 -0800 

On Tue, 2006-02-28 at 16:52 +0100, Olaf Sebelin wrote:
> Hello,
> 
> 
> I am using HttpClient 3.0. When I try to establish a HTTPS connection
> through a proxy with Basic authentication, the connection fails, if the
> credentials are not known and applied _before_ the first try.
> 
> What I try to do, is the following: I try to connect to the given URL. If
> the proxy returns 407, I request proxy credentials from the user, set
> them and retry, like in the following example code:
> 
> 
>   HttpClient client = new HttpClient(new 
> MultiThreadedHttpConnectionManager());
>   URL url = new URL("https://examplehttpsurl";);
>     
>   //first try 
>   GetMethod get = new GetMethod(url.toExternalForm());
>   HostConfiguration hc = new HostConfiguration();
>   hc.setHost(url.getHost(), 443, "https");
>   hc.setProxy("proxyhost", 4711);
>   
>   try {
>     client.executeMethod(hc, get);
>   } catch (Exception e){
>     LOG.error("",e);
>   } finally {
>     get.releaseConnection();
>   }
>   
>   //returns 407 (expected)
>   LOG.debug("Answer: " + get.getStatusLine().toString()); 
>   
>   //retry with credentials (normally requested from the user)
>    client.getState().setProxyCredentials(new AuthScope("proxyhost",4711),
>          new NTCredentials("USER", "PASS", "", ""));
>    
>    get = new GetMethod(url.toExternalForm());
>   
>    try {
>      client.executeMethod(hc, get);
>    } catch (Exception e) {
>      e.printStackTrace();
>    } finally {
>      get.releaseConnection();
>    }
>    //should be 200 but is 407
>    LOG.debug("Answer: " + get.getStatusLine().toString());
>      
> 
> 
> This fails, since the httpclient does not retry a  CONNECT with Proxy
> credentials but with a GET and does not apply the credentials:
> 
> 
> 
> CONNECT XXXXXXXXXXXXXXXXXXXXXXXXXX:443 HTTP/1.1
> User-Agent: Jakarta Commons-HttpClient/3.0
> Host: XXXXXXXXXXXXXXXXXXXXXXXXXX
> Proxy-Connection: Keep-Alive
> 
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/2.5.STABLE3
> Mime-Version: 1.0
> Date: Tue, 28 Feb 2006 16:45:21 GMT
> Content-Type: text/html
> Content-Length: 1334
> Expires: Tue, 28 Feb 2006 16:45:21 GMT
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
> X-Cache: MISS from XXXXXXXXXXXXXXXXX
> X-Cache-Lookup: NONE from XXXXXXXXXXXXXXXXX:4711
> Proxy-Connection: keep-alive
> 
> ...
> 
> GET https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
> User-Agent: Jakarta Commons-HttpClient/3.0
> Host: XXXXXXXXXXXXXXXXXXXXXXXXXX
> Proxy-Connection: Keep-Alive
> 
> HTTP/1.0 407 Proxy Authentication Required
> Server: squid/2.5.STABLE3
> Mime-Version: 1.0
> Date: Tue, 28 Feb 2006 16:45:22 GMT
> Content-Type: text/html
> Content-Length: 1385
> Expires: Tue, 28 Feb 2006 16:45:22 GMT
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
> X-Cache: MISS from XXXXXXXXXXXXXXXXX
> X-Cache-Lookup: NONE from XXXXXXXXXXXXXXXXX:4711
> Proxy-Connection: keep-alive
> 
> ...
> 
> 
> 
> According to  http://issues.apache.org/bugzilla/show_bug.cgi?id=34740
> this is a known issue that should have been fixed. 
> 
> From what I see from HttpMethodDirector.executeWithRetry(final
> HttpMethod method), the cause is, that the connection is kept open, and
> thus the connect is never retried:
> 
> 
> if (!this.conn.isOpen()) {
>   // this connection must be opened before it can be used
>   // This has nothing to do with opening a secure tunnel
>   this.conn.open();
>   if (this.conn.isProxied() && this.conn.isSecure() 
>       && !(method instanceof ConnectMethod)) {
>     // we need to create a secure tunnel before we can execute the real method
>     if (!executeConnect()) {
>       // abort, the connect method failed
>       return;
>     }
>   }
> }
> 
> 
> If I add a conn.close() before returning on !executeConnect(), the
> above code will work, the CONNECT is reattempted. 
> 
>
> Is this still a bug with CONNECT over SSL

Olaf,

Please post a _complete_ wire/context log of the HTTP session. I'll take
a look at it

>  or me using HttpClient the
> wrong way?
> 

You should rather implement a custom credentials provider if you want
the user to be able to authenticate interactively

http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/httpclient/trunk/src/examples/InteractiveAuthenticationExample.java?view=markup

Oleg

> 
> Thanks in advance.
> 
> Regards,
> Olaf
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to