[
https://issues.apache.org/jira/browse/AXIS-2856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kirill Safonov updated AXIS-2856:
---------------------------------
Description:
As of 1.5.1 AbstractHTTPSender.setAuthenticationInfo() obtains host from
authenticator. Then this value is used to:
1) Create NTCredentials instance. Here 'host' is expected to describe source
party (Javadoc: "The host the authentication request is originating from...")
2) Create AuthScope instance. Here 'host' is stored and AuthScope instance is
later matched with another instance provided by
HttpMethodDirector.authenticateHost(), which uses host from connection (points
to target machine).
So, client has to pass server host to NTCredentials constructor, otherwise
authentication will not be performed as expected. This contradicts to Javadoc
and also may cause problems with NTLM authentication where client host name
(and not server name) is part of the handshake message.
was:
As of 1.5.1 AbstractHTTPSender.setAuthenticationInfo() obtains host from
authenticator. Then this value is used to:
1) Create NTCredentials instance. Here 'host' is expected to describe source
party (Javadoc: "The host the authentication request is originating from...")
2) Create AuthScope instance. Here 'host' is stored and AuthScope instance is
later matched with another instance provided by
HttpMethodDirector.authenticateHost(), which uses host from connection which
points to target machine.
So, client has to pass server host to NTCredentials constructor, otherwise
authentication will not be performed as expected. This contradicts to Javadoc
and also may cause problems with NTLM authentication where client host name
(and not server name) is part of the handshake message.
> Host provided by authenticator is treated incorrectly
> -----------------------------------------------------
>
> Key: AXIS-2856
> URL: https://issues.apache.org/jira/browse/AXIS-2856
> Project: Axis
> Issue Type: Bug
> Components: Basic Architecture
> Affects Versions: 1.5
> Environment: any OS
> Reporter: Kirill Safonov
>
> As of 1.5.1 AbstractHTTPSender.setAuthenticationInfo() obtains host from
> authenticator. Then this value is used to:
> 1) Create NTCredentials instance. Here 'host' is expected to describe source
> party (Javadoc: "The host the authentication request is originating from...")
> 2) Create AuthScope instance. Here 'host' is stored and AuthScope instance is
> later matched with another instance provided by
> HttpMethodDirector.authenticateHost(), which uses host from connection
> (points to target machine).
> So, client has to pass server host to NTCredentials constructor, otherwise
> authentication will not be performed as expected. This contradicts to Javadoc
> and also may cause problems with NTLM authentication where client host name
> (and not server name) is part of the handshake message.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
