[jira] [Comment Edited] (CXF-7170) Support Multiple WWW-Authenticate Headers

Mon, 13 Mar 2017 03:22:23 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-7170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907113#comment-15907113
 ] 

Javi Mármol edited comment on CXF-7170 at 3/13/17 10:21 AM:
------------------------------------------------------------

Same problem. Any feedback about that? Thx in advance. 

We use 2.7.7 but I was looking for in source code of 3.0.1 and I found the same 
code than 2.7.7.

We are thinking to apply a patch to discriminate with the 
AuthoritationPolicy.AuthoritationType instated of substring on 
HttpAuthHeader(String fullHeader) constructor on HttpAuthHeader class.


was (Author: jmarmol):
Same problem. Any feedback about that? Thx in advance.

> Support Multiple WWW-Authenticate Headers
> -----------------------------------------
>
>                 Key: CXF-7170
>                 URL: https://issues.apache.org/jira/browse/CXF-7170
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.1.8
>            Reporter: Silvan Hollenstein
>
> When the authorization type "Digest" is chosen, and the server responds with 
> a 401 and multiple WWW-Authenticate headers, this will most probably lead to 
> an error.
> Define Digest to be your authentication method:
> ...
> AuthorizationPolicy authPolicy = new AuthorizationPolicy();
> authPolicy.setAuthorizationType("Digest");
> ...
> The HTTPConduit will then create a DigestAuthSupplier. In... 
> ----------------------------------------------------------
> DigestAuthSupplier.getAuthorization(...) {
> ...
> HttpAuthHeader authHeader = new HttpAuthHeader(fullHeader);
>  if (authHeader.authTypeIsDigest()) {
> ...
> }
> }
> ----------------------------------------------------------
> fullHeader will be (because two headers):
> 'Basic realm="...", Digest realm="...", nonce="0058a704Y936...", stale=FALSE, 
> qop="auth"'
> the authHeader will have the "Basic", because it is the first in fullHeader. 
> But this does not match of course with authHeader.authTypeIsDigest(), and 
> then it will return null.
> The actual wrong thing is, imo, that the fullHeader is concatenated, instead 
> of choosing the one auth header that matches the method we have defined. 
> Maybe HttpAuthHeader should hold a list of headers instead of concatenating 
> them.
> Furthermore, it would be nice when the suppliers were chosen automatically, 
> based on what authentication methods the server offers.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to