You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2011/03/14 15:56:30 UTC

[jira] Resolved: (HTTPCLIENT-1071) 400 Bad request is returned (Target Authentication)

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski resolved HTTPCLIENT-1071.
-------------------------------------------

    Resolution: Invalid

I suspected that. The authorization request generated by the Innovation.ch HTTPClient violates RFC2617, section 3.2.2.5

---
3.2.2.5 Various considerations

   The "Method" value is the HTTP request method as specified in section
   5.1.1 of [2]. The "request-uri" value is the Request-URI from the
   request line as specified in section 5.1.2 of [2]. This may be "*",
   an "absoluteURL" or an "abs_path" as specified in section 5.1.2 of
   [2], but it MUST agree with the Request-URI. In particular, it MUST
   be an "absoluteURL" if the Request-URI is an "absoluteURL". The
   "cnonce-value" is an optional  client-chosen value whose purpose is
   to foil chosen plaintext attacks.

---

Request uri value in the Digest Authorization '... MUST be an "absoluteURL" if the Request-URI is an "absoluteURL"', which is clearly not the case

---
GET http://renderv3.mappoint.net:80/render-30/RenderService.asmx HTTP/1.1
Host: renderv3.mappoint.net
Proxy-Connection: Keep-Alive
Connection: TE
TE: trailers, deflate, gzip, compress
User-Agent: RPT-HTTPClient/0.3-3E
Pragma: no-cache
Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
Proxy-Authorization: Basic bXV0aHUtemNpNTY4OnNhZGZzZjNy
Authorization: Digest realm="MapPoint",username="7518",uri="/render-30/RenderService.asmx",nonce="386b1170cabff277975819992100dd940a6884eb44e9f02fb50736820af2",response="12cfdb83386a255cc7329f2120b11ecc",cnonce="8d15f60bd65131c63cabc91d8702258d",qop="auth",nc="00000001"
---

Apparently the IIS server gets confused by the absolute request URI in the Digest authorization request (even though the uri is perfectly OK) and rejects the request as invalid (though it is not)

---
GET http://renderv3.mappoint.net/render-30/RenderService.asmx HTTP/1.1
Host: renderv3.mappoint.net
Proxy-Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1 (java 1.5)
Authorization: Digest username="7518", realm="MapPoint", nonce="f5674eeba014d98c600358992100d5829a60853da97d70f6f5000d8b8eb9", uri="http://renderv3.mappoint.net/render-30/RenderService.asmx", response="e452c5c1d70bb8b9f5177ac1abc66b31", qop=auth, nc=00000001, cnonce="93e6e5399da67d161b7fec8728ccd496"
Proxy-Authorization: Basic bWFuYXNhLXpjaTEzOTA6c2d1ZDhkaw==
---

I am not very keen on changing HttpClient's behavior as in my opinion it is fully compliant with the requirements of the HTTP specification and the problem clearly lies with Microsoft-IIS/6.0.

You basically have two options:

(1) If you are a paying Microsoft customer try approaching Microsoft customer services with this problem
 
(2) Make a local copy of DigestScheme, tweak its behavior, and use it instead of the one shipped with HttpClient.

Oleg

> 400 Bad request is returned (Target Authentication)
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1071
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1071
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpAuth, HttpClient
>         Environment: WindowsXP, Java 1.5
>            Reporter: Manasa K
>              Labels: authentication, digest, proxy
>         Attachments: ApacheHTTPClient, Inno_WithProxy, InnovationHTTPClient.txt, logs_withoutProxy.txt, logstosend_withProxy.txt
>
>
> I am trying to connect a URL http://renderv3.mappoint.net/render-30/RenderService.asmx which needs WWW-Authenticate(uses Digest Authentication). Also this should go via a Proxy(uses Basic Authentication). This returns HTTP/1.0 400 Bad Request [Server: Microsoft-IIS/6.0, Date: Tue, 08 Mar 2011 13:38:43 GMT, X-Cache: MISS from proxy-server8-int1, Connection: close]....
> When the request to this URL is sent directly(i.e., not going via Proxy), works perfectly.
> Also when I tried with another HTTPClient from Innovation.ch, this works. So I doubt if there will be any trouble caused due to the proxy server.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org