[jira] Updated: (CXF-2100) Digest auth is broken

[Christof Harnischmacher (JIRA)]

     [ 
https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christof Harnischmacher updated CXF-2100:
-----------------------------------------

    Affects Version/s: 2.1.4

> Digest auth is broken
> ---------------------
>
>                 Key: CXF-2100
>                 URL: https://issues.apache.org/jira/browse/CXF-2100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.1.4, 2.2
>            Reporter: Christof Harnischmacher
>         Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some 
> issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
>   A string of data, specified by the server, which should be
>   returned by the client unchanged.  It is recommended that this
>   string be base64 or hexadecimal data.  This field is a
>   "quoted-string" as specified in section 2.2 of the HTTP/1.1
>   specification [2].
> So I think the correct handling is to skip the opaque field, when no 
> opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be 
> created.
> To achieve that, every request against an digest authenticated server needs 
> to be
> cached and chunking has to be disabled to replay the request whith 
> recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: 
> If
> an authSupplier is present and a authString was generated, the method should 
> return
> even when the authString is NULL, instead of creating a basic auth 
> authorization
> header.
> I included patches, which allow me to connect against virtualearth token 
> service.
> The wsdl can be found here: 
> https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.