You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Karl Wright (JIRA)" <ji...@apache.org> on 2010/02/23 21:45:28 UTC
[jira] Created: (HTTPCLIENT-917) When authentication is invalidated
during redirection, proxy authentication also should be invalidated
When authentication is invalidated during redirection, proxy authentication also should be invalidated
------------------------------------------------------------------------------------------------------
Key: HTTPCLIENT-917
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Reporter: Karl Wright
This was discovered during use by Lucene Connector Framework, on 3.1.
When a document is fetched through a proxy authenticated with NTLM, and
that document is a redirection (301 or 302), the httpclient fails to
properly use the right proxy credentials on the subsequent document
fetch. This leads to 407 errors on these kinds of documents.
I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837757#action_12837757 ]
Oleg Kalnichevski commented on HTTPCLIENT-917:
----------------------------------------------
I am not a patent lawyer, so whatever I have to say on the matter has no bearing of what so ever. The only group of people that can make definitive statements on the matter is the ASF legal committee. If they decide it is okay to use algorithms in the ASF code that may _potentially_ be covered by patents held by Microsoft, the matter would be settled. However, given the fact they have been unable to make up their mind about the use of LGPL code in ASF code for years, I would not be holding my breath.
Welcome to the wonderful world of ASF bureaucracy.
Until this matter is decided upon by the ASF legal people I _personally_ will not touch Microsoft specific code with a barge pole. If MetaCarta, Inc have enough lawyers sitting around, good for you. I am just a regular guy writing code at his spare time. A mere potential threat of a lawsuit is enough for me.
I am aware of multiple open-source implementations of the NTLM protocol. However this is not a copyright matter, but that of intellectual property rights. This is about a liability for the use of Microsoft IP in commercial products, not for writing open-source code. The existence of open-source implementations does not prove or disprove anything.
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837489#action_12837489 ]
Karl Wright commented on HTTPCLIENT-917:
----------------------------------------
I'm aware of 3.1's older status, but 4.x is not yet available via the stable debian distribution, so until it is available that's the version I'm stuck with.
In any case, the goal of this submission is as much to verify that 4.x does not have the problem as it is to request a fix in 3.1.
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Ortwin Glück (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837680#action_12837680 ]
Ortwin Glück commented on HTTPCLIENT-917:
-----------------------------------------
Then I suggest you file the issue with Debian.
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837745#action_12837745 ]
Karl Wright commented on HTTPCLIENT-917:
----------------------------------------
The implementation is effectively a clean-room implementation of client-side NTLM, based on published web protocol descriptions, and with some protocol clarifications from Michael Allen. So we believe it does not violate anyone's copyright.
No warranty is granted that it does not violate any Microsoft patents. However, please note that there are at least two other open source projects out there that distribute code that is functionally similar. These are:
- jCIFS (jcifs.samba.org), which you are familiar
- curl, which I presume you have heard of also
Can you clarify what patents you believe to be in play here? We may be able to do some independent research to see if these concerns appear to be warranted.
Thanks,
Karl
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837716#action_12837716 ]
Karl Wright commented on HTTPCLIENT-917:
----------------------------------------
Hi Oleg,
Believing it is resolved is good enough for me - thanks.
The issue of adoption of 4.x is complex. There are several stakeholders involved here, so maybe a little background will help.
First, Lucene Connector Framework's code base was recently granted to ASF by MetaCarta, Inc.. MetaCarta works primarily in the debian world, and the debian world has limited itself to HttpClient 3.1 for the medium-term future. Internal politics at MetaCarta make it hard for me to adopt packages later than those in the current debian distribution, but having said that, I can certainly lobby for permission to create my own httpclient 4.1 debian package for MetaCarta's use.
Second, let me put on my LCF hat. For LCF's purposes, 4.x's approach of having Httpclient's NTLM support be optional and reliant on jCIFS is problematic as well, since jCIFS is LGPL licensed. This is not insurmountable, but it is certainly a major complication. Now, the MetaCarta LCF Apache grant included a patch file for HttpClient 3.1-2 which included code for all three tickets I've submitted - and also includes a fully granted implementation of NTLM for HttpClient, which I've attached to ticket HTTPCLIENT-919. If you folks decide accept it, and use it in the 4.x code base, then our path to using 4.x in LCF is simply a matter of mechanics and time.
Finally, my overriding goal here has been to start the process of reconciling LCF's version of HttpClient with the version being distributed, so this is hoped to be an ongoing discussion.
Hope this helps....
Karl
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837684#action_12837684 ]
Karl Wright commented on HTTPCLIENT-917:
----------------------------------------
"Then I suggest you file the issue with Debian. "
That is what I have done. But that is nevertheless immaterial if this problem still exists in HttpClient 4.0, which I believe is the latest stable release. Can you guarantee that it is resolved in that version?
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-917) When authentication is invalidated
during redirection, proxy authentication also should be invalidated
Posted by "Ortwin Glück (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ortwin Glück updated HTTPCLIENT-917:
------------------------------------
Affects Version/s: 3.1 Final
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837727#action_12837727 ]
Oleg Kalnichevski commented on HTTPCLIENT-917:
----------------------------------------------
> a fully granted implementation of NTLM for HttpClient
What exactly do you mean by granted implementation? Granted by what entity? Is Microsoft aware of this implementation and of the fact that this code can be distributed as a part of an open source project?
Oleg
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837701#action_12837701 ]
Oleg Kalnichevski commented on HTTPCLIENT-917:
----------------------------------------------
Karl,
(1) HttpComponents is an open-source project overseen by ASF. The only thing we can truly _guarantee_ here is that you get full source code and _nothing_ else.
(2) HttpClient 4.0 does a lot of things very differently compared to HttpClient 3.1, so there is really no way of telling whether the problem is still there without proper testing. However, just by looking at the code I do think HttpClient 4.0 is no longer affected by the bug.
http://hc.apache.org/httpcomponents-client/httpclient/xref/org/apache/http/impl/client/DefaultRequestDirector.html#995
(3) I will commit your patch to the 3.x branch tonight.
(4) I am not sure I fully understand why you are not able to upgrade Lucene Connector Framework to the latest version of HttpClient and what this has to do with Debian stable.
Oleg
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-917) When authentication is invalidated
during redirection, proxy authentication also should be invalidated
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Wright updated HTTPCLIENT-917:
-----------------------------------
Attachment: proxy-auth-invalidate.patch
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Resolved: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-917.
------------------------------------------
Resolution: Fixed
Fix Version/s: 3.1.1
Patch checked in.
Oleg
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Reporter: Karl Wright
> Fix For: 3.1.1
>
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-917) When authentication is
invalidated during redirection, proxy authentication also should be
invalidated
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837484#action_12837484 ]
Oleg Kalnichevski commented on HTTPCLIENT-917:
----------------------------------------------
Karl,
The 3.1 code line is pretty much at end of life. I can commit the patch but there will be no official releases from the 3.x code line. Please consider upgrading to HttpClient 4.0
Oleg
> When authentication is invalidated during redirection, proxy authentication also should be invalidated
> ------------------------------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-917
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-917
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Reporter: Karl Wright
> Attachments: proxy-auth-invalidate.patch
>
>
> This was discovered during use by Lucene Connector Framework, on 3.1.
> When a document is fetched through a proxy authenticated with NTLM, and
> that document is a redirection (301 or 302), the httpclient fails to
> properly use the right proxy credentials on the subsequent document
> fetch. This leads to 407 errors on these kinds of documents.
> I've attached a proposed patch.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org