[jira] [Commented] (AXIS2-6023) Basic Auth creds missing if target auth not required

Fri, 14 Jan 2022 15:42:22 -0800 


    [ 
https://issues.apache.org/jira/browse/AXIS2-6023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17476478#comment-17476478
 ] 

Robert Lazarski commented on AXIS2-6023:
----------------------------------------

If you could post your code - I am not a basic auth user - I can consider it 
for likely inclusion if it looks like that with care there won't be CVE's 
generated on it. Off by default should be sufficient.

Even better would be posting a patch though that isn't necessarily required, 
just helpful.

 

> Basic Auth creds missing if target auth not required
> ----------------------------------------------------
>
>                 Key: AXIS2-6023
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6023
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Rod
>            Priority: Major
>
> This might be working as designed, but there's a clear change in behavior 
> between Axis2 v1.7.9 and v1.8.0 which is affecting functionality dependent on 
> client provided username:
> WSDL generated client provides basic auth credentials as such:
>   Options opt = thestub._getServiceClient().getOptions();
>   HttpTransportPropertiesImpl.Authenticator basicAuth = new 
> HttpTransportPropertiesImpl.Authenticator();
>   basicAuth.setUsername(user);
>   basicAuth.setPassword(pass);
>   basicAuth.setPreemptiveAuthentication(true);
>   opt.setProperty(HTTPConstants.AUTHENTICATE, basicAuth);
>   opt.setProperty(HttpTransportPropertiesImpl.Authenticator.BASIC, basicAuth);
>         
> opt.setProperty(org.apache.axis2.transport.http.HTTPConstants.CHUNKED, 
> Boolean.FALSE);
>         thestub._getServiceClient().setOptions(opt);
> If targeting Axis2 v1.7.9, the user/pass basicAuth is received by target 
> service, however, in v1.8.0 it is not.
> After looking around deep in org.apache.axis2.transport.http, it appears this 
> might be occurring if the target endpoint doesn't require authentication. 
> Is this by design? Is there a known way to force the transmission of 
> credentials?
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to