You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2013/04/15 12:28:15 UTC
[jira] [Resolved] (HTTPCLIENT-1338) Caching of digest credentials
broken when server expires nonce (regression bug)
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-1338.
-------------------------------------------
Resolution: Fixed
Fix Version/s: 4.2.5
Fixed in SVN trunk and 4.2.x branch. Please re-test / review.
Oleg
> Caching of digest credentials broken when server expires nonce (regression bug)
> --------------------------------------------------------------------------------
>
> Key: HTTPCLIENT-1338
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1338
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.2.4, 4.3 Beta1
> Reporter: F Carlsen
> Labels: digest, performance, regression
> Fix For: 4.2.5, 4.3 Beta2
>
> Attachments: 4.1.3.txt, 4.2.3.txt
>
>
> In 4.2.3 caching of digest authentication is broken after server issues new nonce.
> By default (when using a new local HttpContext for each request) the client will receive a 401 before every successful 200. To avoid this, the HttpContext must be reused between requests. This initializes the AuthCache and creates 1 DigestScheme instance, and subsequent requests will be "pre-authenticated" based on the first returned nonce from the server. One will then get one 401 first with server issued nonce, then subsequent requests will make use of this nonce to authenticate and avoid superfluous 401s. As the BasicHttpContext is not thread-safe it must be cached by thread if the client can issue requests on multiple threads.
> So far so good,
> However, when the server issues a new nonce (after it perhaps has expired or maybe been reverse proxied over to a different server instance) then it doesn't cache the updated nonce, but we end up trying to reuse the old one as long as we reuse an AuthCache. So caching the nonce from the server only works for a short while until the server decideds to change it, and thereafter it is back to getting a 401 for every request first before it succeeds.
> This happens because when it fails after nonce is expired it creates a new DigestScheme instance inside the TargetAuthenticationStrategy, but this new instance is only cached for the ongoing request (until 200 received) and afterwards discarded, while the reused HttpContext now has an AuthCache which references the old DigestScheme with the original nonce from the server. On subsequent tries we then end up reusing an old DigestScheme instance with an out-of-date nonce, but have no way detecting that the nonce was updated as this takes place wholly inside AbstractHttpClient, and it creates a new DigestScheme which isn't set in the reused HttpContext.
> The result is a performance issue, as it then has to issue two http calls for every request to succeed, even though the credentials provided are cached and available on the client.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org