You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2009/03/10 15:42:52 UTC

[jira] Assigned: (CXF-2100) Digest auth is broken

     [ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Kulp reassigned CXF-2100:
--------------------------------

    Assignee: Daniel Kulp

> Digest auth is broken
> ---------------------
>
>                 Key: CXF-2100
>                 URL: https://issues.apache.org/jira/browse/CXF-2100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.1.4, 2.2
>            Reporter: Christof Harnischmacher
>            Assignee: Daniel Kulp
>         Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
>   A string of data, specified by the server, which should be
>   returned by the client unchanged.  It is recommended that this
>   string be base64 or hexadecimal data.  This field is a
>   "quoted-string" as specified in section 2.2 of the HTTP/1.1
>   specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.