Luis Rodriguez Berzosa created CXF-5292:
-------------------------------------------
Summary: Digest authentication against intermediate HTTP proxy
fails when endpoint server does not use digest authentication as well
Key: CXF-5292
URL: https://issues.apache.org/jira/browse/CXF-5292
Project: CXF
Issue Type: Bug
Components: Transports
Affects Versions: 2.7.6
Reporter: Luis Rodriguez Berzosa
Priority: Minor
Attachments: StackTrace.log
When using no endpoint authentication but digest authentication in intermediate
HTTP proxy, the HTTPConduit throws an exception (attached).
After some debugging, it seems to be a bug in the following code in the
org.apache.cxf.transport.http.HTTPConduit class:
/**
* This call places HTTP Header strings into the headers that are relevant
* to the Authorization policies that are set on this conduit by
* configuration.
* <p>
* An AuthorizationPolicy may also be set on the message. If so, those
* policies are merged. A user name or password set on the messsage
* overrides settings in the AuthorizationPolicy is retrieved from the
* configuration.
* <p>
* The precedence is as follows:
* 1. AuthorizationPolicy that is set on the Message, if exists.
* 2. Authorization from AuthSupplier, if exists.
* 3. AuthorizationPolicy set/configured for conduit.
*
* REVISIT: Since the AuthorizationPolicy is set on the message by class,
then
* how does one override the ProxyAuthorizationPolicy which is the same
* type?
*
* @param message
* @param headers
*/
private void setHeadersByAuthorizationPolicy(
Message message,
URL url
) {
Headers headers = new Headers(message);
AuthorizationPolicy effectiveAuthPolicy =
getEffectiveAuthPolicy(message);
String authString = authSupplier.getAuthorization(effectiveAuthPolicy,
url, message, null);
if (authString != null) {
headers.setAuthorization(authString);
}
String proxyAuthString =
authSupplier.getAuthorization(proxyAuthorizationPolicy,
url, message,
null);
if (proxyAuthString != null) {
headers.setProxyAuthorization(proxyAuthString);
}
}
I think that the correct code should be:
String proxyAuthString =
proxyAuthSupplier.getAuthorization(proxyAuthorizationPolicy, url, message,
null);
With basic authentication for HTTP proxy, it works (luckily) as the
authSupplier registered by default is the DefaultBasicAuthSupplier.
If the final endpoint is configured to use Digest authentication, it also works
due to the fact that both proxy and endpoint authentication scheme is
"artificially shared".
Anyway, I do not understand what the
* REVISIT: Since the AuthorizationPolicy is set on the message by class, then
* how does one override the ProxyAuthorizationPolicy which is the same
* type?
in the method javadoc means...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
