Hi,
we're using Apache CXF 2.2.9 to access a webservice. The service is served
on a tomcat-server (using the cxf-servlet, but this is not important here)
and protected by requiring http basic auth. When supplying correct
username/password-data in our client this works as expected when using the
following code:
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();
factory.setServiceClass( IReferenceManagerImpl.class);
factory.setAddress( wsAddress.toString());
factory.setUsername( horus_user);
factory.setPassword( horus_password);
IReferenceManagerImpl implementation = ( IReferenceManagerImpl)
factory.create();
//afterwards we're setting allowChunking to false for our http-client-policy
since chunking gives us some problem with oracle webcache, but this isn't
the point here...
However, when the user supplied a wrong password, things go wrong. Instead
of CXF to give me a HTTP 401 Exception code it tries for many times to
authenticate against the server (20 times I think) and finally gives me the
following exception:
Caused by: java.net.ProtocolException: Server redirected too many times
(20)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2165)
This is fatal for us, since after so much error-nous tries our ldap-server
locks the user that provide a wrong password.
I tracked down the issue and found out that the Sun HttpURLConnection asks
the default Authenticator for username/password when getting 401. This
repeats in a loop for I think 20 times. Unfortunately, CXF set the default
Authenticator to CXFAuthenticator wich provides the username/password on
every consecuting try.
For me there are two possible workarounds:
1) I can set Authenticator.setDefault(null) after CXF set it to
CXFAuthenticator
2) I can do httpConduit.setAuthorization(null) on my HttpConduit.
This doesn't prevent from authorization to work since it seems that CXF sets
the right HTTP-Authorization-Request on the HttpUrlConnection before the
initial try. But when providing wrong credentials I'm getting the HTTP
401-Exception I would excpect.
I'm quite sure this was the default behavior on older cxf-versions. (we
startet with 2.2.2)
Isn't it bad style to try to authenticate over and over again with the same
credentials? What is that CXFAuthenticator actually good for? And wich of my
workarounds is actually "better"? Do they have side-effects I cannot see at
the moment?
Best regards
Johannes
