You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Kevin Linke (JIRA)" <ji...@apache.org> on 2010/10/29 09:42:22 UTC

[jira] Created: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
---------------------------------------------------------------------------------------------

                 Key: CXF-3100
                 URL: https://issues.apache.org/jira/browse/CXF-3100
             Project: CXF
          Issue Type: Bug
          Components: Transports
            Reporter: Kevin Linke
         Attachments: HTTPConduit.java

Hello,

we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 

Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.

When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.

Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.

I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 

Notes:
- we are using Apache CXF 2.2.9
- soap over http (with ssl) and http basic authentication
- the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
- all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"

Thanks,
Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Willem Jiang (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927738#action_12927738 ] 

Willem Jiang commented on CXF-3100:
-----------------------------------

Hi Kevin,

Thanks for you contribution.
Can you submit a diff file instead the whole HttpConduit.java , so I can apply the patch more easily.

Willem

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>         Attachments: HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Kevin Linke (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12932405#action_12932405 ] 

Kevin Linke commented on CXF-3100:
----------------------------------

Hi Willem,

I found out that my first solution didn't resolve the problem completely, so I reworked my changes and attached another version of the patched HTTPConduit file and a corresponding diff file (both with extension .v2). 

Kevin

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Willem Jiang
>         Attachments: HTTPConduit.diff, HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Kevin Linke (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Linke updated CXF-3100:
-----------------------------

    Attachment: HTTPConduit.java.v2
                HTTPConduit.diff.v2

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Willem Jiang
>         Attachments: HTTPConduit.diff, HTTPConduit.diff.v2, HTTPConduit.java, HTTPConduit.java.v2
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daniel Kulp resolved CXF-3100.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.3.1
                   2.2.12
         Assignee: Daniel Kulp  (was: Willem Jiang)

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Daniel Kulp
>             Fix For: 2.2.12, 2.3.1
>
>         Attachments: HTTPConduit.diff, HTTPConduit.diff.v2, HTTPConduit.java, HTTPConduit.java.v2
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Kevin Linke (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Linke updated CXF-3100:
-----------------------------

    Attachment: HTTPConduit.java

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>         Attachments: HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Willem Jiang (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Willem Jiang reassigned CXF-3100:
---------------------------------

    Assignee: Willem Jiang

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Willem Jiang
>         Attachments: HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

Posted by "Kevin Linke (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Linke updated CXF-3100:
-----------------------------

    Attachment: HTTPConduit.diff

Hi Willem,

I added a diff file as requested. If you need another format or if you have trouble with the file (I created this on windows xp) please let me know.

Please note that this patch is based on the cxf 2.2.9 sources!

Thanks,
Kevin

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Willem Jiang
>         Attachments: HTTPConduit.diff, HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.