You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2009/03/10 15:42:52 UTC
[jira] Assigned: (CXF-2100) Digest auth is broken
[ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-2100:
--------------------------------
Assignee: Daniel Kulp
> Digest auth is broken
> ---------------------
>
> Key: CXF-2100
> URL: https://issues.apache.org/jira/browse/CXF-2100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.1.4, 2.2
> Reporter: Christof Harnischmacher
> Assignee: Daniel Kulp
> Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
> A string of data, specified by the server, which should be
> returned by the client unchanged. It is recommended that this
> string be base64 or hexadecimal data. This field is a
> "quoted-string" as specified in section 2.2 of the HTTP/1.1
> specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.