[
https://issues.apache.org/jira/browse/CXF-5366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Evgeny Shakin updated CXF-5366:
-------------------------------
Description:
When performing the digest HTTP authentication the generated Authorization
header is missing the "algorithm" element. Also if the algorithm is "MD5-sess"
it should appear in the Authorization header as is and not as "MD5". To get
around the issue it is possible to use a customized DigestAuthSupplier for the
affected CXF versions. The result of WS invocation without "algorithm" in the
Authorization header is 400-Bad request.
The issue relates to versions of CXF 2.7.4 and later, earlier versions work
fine.
Sample request:
POST /XXXXXXX HTTP/1.1
Content-Type: text/xml; charset=UTF-8
Accept: */*
SOAPAction: "http://schemas.microsoft.com/dynamics/XXXXXXX";
User-Agent: Apache CXF 2.7.4
Cache-Control: no-cache
Pragma: no-cache
Host: XXXXX
Connection: keep-alive
Content-Length: 542
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body></soap:Body></soap:Envelope>
POST /XXXXX HTTP/1.1
Content-Type: text/xml; charset=UTF-8
Accept: */*
Authorization: Digest response="541f8d073f2be81deae8e2f1065725b2",
cnonce="46f26ffb6cf32b66873bf6e5e955bae8", username="XXXXX", nc="00000001",
nonce="+Upgraded+v126a0f6047dd70851ab2155a14d09d56aacd7cd4a87d1ce01d77d4709393a1585490f57bdd6026b2c339c1f27bc03f4e47400ad20e8208244",
realm="Digest", qop="auth", uri="/XXXXXXX"
SOAPAction: "http://schemas.microsoft.com/dynamics/XXXXXXX";
User-Agent: Apache CXF 2.7.4
Cache-Control: no-cache
Pragma: no-cache
Host: localhost:8887
Connection: keep-alive
Content-Length: 542
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body>......</soap:Body></soap:Envelope>
Sample response:
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Digest
qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v126a0f6047dd70851ab2155a14d09d56af26b5ad2f0d3ce0169267269a2cfa168709705665fd13f9adf81235595c672ec1623b17e470ccaef",charset=utf-8,realm="Digest"
Date: Mon, 28 Oct 2013 15:17:31 GMT
HTTP/1.1 400 Bad Request
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 28 Oct 2013 15:17:31 GMT
was:
When performing the digest HTTP authentication the generated Authorization
header is missing the "algorithm" element. Also if the algorithm is "MD5-sess"
it should appear in the Authorization header as is and not as "MD5". To get
around the issue it is possible to use a customized DigestAuthSupplier for the
affected CXF versions. The result of WS invocation without "algorithm" in the
Authorization header is 400-Bad request.
The issue relates to versions of CXF 2.7.4 and later, earlier versions work
fine.
> Authorization header is not set correctly in CXF HTTP digest authentication
> ----------------------------------------------------------------------------
>
> Key: CXF-5366
> URL: https://issues.apache.org/jira/browse/CXF-5366
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.7.4, 2.7.5, 2.7.6, 2.7.7
> Environment: Windows 7 64 bit, Java 1.6.0_29, CXF 2.7.4, calling MS
> Dynamics WS.
> Reporter: Evgeny Shakin
>
> When performing the digest HTTP authentication the generated Authorization
> header is missing the "algorithm" element. Also if the algorithm is
> "MD5-sess" it should appear in the Authorization header as is and not as
> "MD5". To get around the issue it is possible to use a customized
> DigestAuthSupplier for the affected CXF versions. The result of WS invocation
> without "algorithm" in the Authorization header is 400-Bad request.
> The issue relates to versions of CXF 2.7.4 and later, earlier versions work
> fine.
> Sample request:
> POST /XXXXXXX HTTP/1.1
> Content-Type: text/xml; charset=UTF-8
> Accept: */*
> SOAPAction: "http://schemas.microsoft.com/dynamics/XXXXXXX";
> User-Agent: Apache CXF 2.7.4
> Cache-Control: no-cache
> Pragma: no-cache
> Host: XXXXX
> Connection: keep-alive
> Content-Length: 542
> <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body></soap:Body></soap:Envelope>
> POST /XXXXX HTTP/1.1
> Content-Type: text/xml; charset=UTF-8
> Accept: */*
> Authorization: Digest response="541f8d073f2be81deae8e2f1065725b2",
> cnonce="46f26ffb6cf32b66873bf6e5e955bae8", username="XXXXX", nc="00000001",
> nonce="+Upgraded+v126a0f6047dd70851ab2155a14d09d56aacd7cd4a87d1ce01d77d4709393a1585490f57bdd6026b2c339c1f27bc03f4e47400ad20e8208244",
> realm="Digest", qop="auth", uri="/XXXXXXX"
> SOAPAction: "http://schemas.microsoft.com/dynamics/XXXXXXX";
> User-Agent: Apache CXF 2.7.4
> Cache-Control: no-cache
> Pragma: no-cache
> Host: localhost:8887
> Connection: keep-alive
> Content-Length: 542
> <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body>......</soap:Body></soap:Envelope>
> Sample response:
> HTTP/1.1 401 Unauthorized
> Content-Length: 0
> Server: Microsoft-HTTPAPI/2.0
> WWW-Authenticate: Digest
> qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v126a0f6047dd70851ab2155a14d09d56af26b5ad2f0d3ce0169267269a2cfa168709705665fd13f9adf81235595c672ec1623b17e470ccaef",charset=utf-8,realm="Digest"
> Date: Mon, 28 Oct 2013 15:17:31 GMT
> HTTP/1.1 400 Bad Request
> Content-Length: 0
> Server: Microsoft-HTTPAPI/2.0
> Date: Mon, 28 Oct 2013 15:17:31 GMT
--
This message was sent by Atlassian JIRA
(v6.1#6144)
