[
https://issues.apache.org/jira/browse/CXF-5292?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Luis Rodriguez Berzosa updated CXF-5292:
----------------------------------------
Attachment: StackTrace.log
> Digest authentication against intermediate HTTP proxy fails when endpoint
> server does not use digest authentication as well
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-5292
> URL: https://issues.apache.org/jira/browse/CXF-5292
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.7.6
> Reporter: Luis Rodriguez Berzosa
> Priority: Minor
> Labels: authentication, digest, proxy, transport
> Attachments: StackTrace.log
>
>
> When using no endpoint authentication but digest authentication in
> intermediate HTTP proxy, the HTTPConduit throws an exception (attached).
> After some debugging, it seems to be a bug in the following code in the
> org.apache.cxf.transport.http.HTTPConduit class:
> /**
> * This call places HTTP Header strings into the headers that are relevant
> * to the Authorization policies that are set on this conduit by
> * configuration.
> * <p>
> * An AuthorizationPolicy may also be set on the message. If so, those
> * policies are merged. A user name or password set on the messsage
> * overrides settings in the AuthorizationPolicy is retrieved from the
> * configuration.
> * <p>
> * The precedence is as follows:
> * 1. AuthorizationPolicy that is set on the Message, if exists.
> * 2. Authorization from AuthSupplier, if exists.
> * 3. AuthorizationPolicy set/configured for conduit.
> *
> * REVISIT: Since the AuthorizationPolicy is set on the message by class,
> then
> * how does one override the ProxyAuthorizationPolicy which is the same
> * type?
> *
> * @param message
> * @param headers
> */
> private void setHeadersByAuthorizationPolicy(
> Message message,
> URL url
> ) {
> Headers headers = new Headers(message);
> AuthorizationPolicy effectiveAuthPolicy =
> getEffectiveAuthPolicy(message);
> String authString =
> authSupplier.getAuthorization(effectiveAuthPolicy, url, message, null);
> if (authString != null) {
> headers.setAuthorization(authString);
> }
>
> String proxyAuthString =
> authSupplier.getAuthorization(proxyAuthorizationPolicy,
> url, message,
> null);
> if (proxyAuthString != null) {
> headers.setProxyAuthorization(proxyAuthString);
> }
> }
> I think that the correct code should be:
> String proxyAuthString =
> proxyAuthSupplier.getAuthorization(proxyAuthorizationPolicy, url, message,
> null);
> With basic authentication for HTTP proxy, it works (luckily) as the
> authSupplier registered by default is the DefaultBasicAuthSupplier.
> If the final endpoint is configured to use Digest authentication, it also
> works due to the fact that both proxy and endpoint authentication scheme is
> "artificially shared".
> Anyway, I do not understand what the
> * REVISIT: Since the AuthorizationPolicy is set on the message by class, then
> * how does one override the ProxyAuthorizationPolicy which is the same
> * type?
> in the method javadoc means...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
