You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Michael Becke <be...@u.washington.edu> on 2003/04/27 22:55:50 UTC
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to closing of connection
The proxy seems to be sending a "Proxy-Connection: close" on the first
try as well, even though you are using HTTP 1.1.
Mike
On Sunday, April 27, 2003, at 04:09 PM, bugzilla@apache.org wrote:
> DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
> RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
> <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19226>.
> ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
> INSERTED IN THE BUG DATABASE.
>
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19226
>
> NTLM authentication failed due to closing of connection
>
>
>
>
>
> ------- Additional Comments From olegk@apache.org 2003-04-27 20:09
> -------
> Ok. I think I found the trouble-maker. HttpClient downgrades HTTP
> protocol
> version to 1.0 in when sending requests via a HTTP/1.0 proxy server.
> No wonder
> the proxy does not keep the connection alive.
>
> 04:24:256[DEBUG] HttpMethod - -Execute loop try 1
> ...
> 04:24:287[DEBUG] wire - ->> "GET http://www.google.fr/
> HTTP/1.1[\r][\n]"
> ...
> 04:24:474[DEBUG] wire - -<< "HTTP/1.0 407 Proxy Authentication
> Required[\r][\n]"
> ...
> 04:24:537[DEBUG] wire - -<< "Server:
> squid/2.5.STABLE1-20030121[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "Mime-Version: 1.0[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "Date: Sat, 26 Apr 2003 11:04:24
> GMT[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "Content-Type: text/html[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "Content-Length: 1289[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "Expires: Sat, 26 Apr 2003 11:04:24
> GMT[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "X-Squid-Error: ERR_CACHE_ACCESS_DENIED
> 0[\r][\n]"
> 04:24:537[DEBUG] wire - -<< "Proxy-Authenticate: NTLM[\r][\n]"
> 04:24:553[DEBUG] wire - -<< "X-Cache: MISS from roland[\r][\n]"
> 04:24:553[DEBUG] wire - -<< "Proxy-Connection: close[\r][\n]"
> ...
> 04:24:803[DEBUG] HttpMethod - -Execute loop try 2
> ...
> 04:24:818[DEBUG] wire - ->> "GET http://www.google.fr/
> HTTP/1.0[\r][\n]"
> ...
>
> The question is whether this kind of behavior is wrong or not? Shall
> 407
> response be treated specially when deciding whether HTTP protocol is
> to be
> downgraded? Any opinions?
>
> Oleg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to
closing of connection
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
On Sun, 2003-04-27 at 23:45, Michael Becke wrote:
> Are you saying that if credentials were present on the first pass then
> "Proxy-Connection: close" would not be sent?
>
Exactly. It's just a guess, though. It remains to be seen if my
assumptions holds true to reality.
Oleg
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to closing of connection
Posted by Adrian Sutton <ad...@intencha.com>.
Squid does not send Proxy-Connection close if HttpClient sends a
Proxy-Connection: keep-alive header, Squid doesn't seem to have any
real knowledge of how NTLM works except that it talks to some
authentication component and gets a header that needs to be added.
Note that when keep-alive is not sent by HttpClient Squid closes the
connection regardless of the content of any other header (ie: even if
the NTLM authentication attempt is present).
The simplest solution that I can see (and it seems like a really good
idea), is that HttpClient adds a Proxy-Connection: keep-alive header
whenever it attempts NTLM authentication (Connection: keep-alive as
well when authenticating with a server). That would be then provide a
request from HttpClient to keep the connection alive which the server
may still choose to reject, but we'd have done all we can to tell it
about the particular requirements of NTLM.
Regards,
Adrian Sutton.
On Monday, April 28, 2003, at 07:45 AM, Michael Becke wrote:
> Are you saying that if credentials were present on the first pass then
> "Proxy-Connection: close" would not be sent?
>
> My assumption with NTLM has been that it requires multiple passes to
> be fully authenticated. So I was thinking that the "while
> (forwardCount++ < MAX_FORWARDS)" loop in execute() would get run a few
> times. If this is correct then responseStream.close() will get called
> each time at the bottom of the loop. This will have the effect of
> closing the connection if "keep-alive" is not set.
>
> Mike
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to closing of connection
Posted by Michael Becke <be...@u.washington.edu>.
Are you saying that if credentials were present on the first pass then
"Proxy-Connection: close" would not be sent?
My assumption with NTLM has been that it requires multiple passes to be
fully authenticated. So I was thinking that the "while (forwardCount++
< MAX_FORWARDS)" loop in execute() would get run a few times. If this
is correct then responseStream.close() will get called each time at the
bottom of the loop. This will have the effect of closing the
connection if "keep-alive" is not set.
Mike
On Sunday, April 27, 2003, at 05:33 PM, Oleg Kalnichevski wrote:
> That's clear. My assumption is that if HTTP version were 1.1 and NTLM
> credentials were present the server would know that NTLM authentication
> handshake were underway and the connection would not be closed. I still
> have to test this assumption, though.
>
> Oleg
>
> On Sun, 2003-04-27 at 23:22, Michael Becke wrote:
>> The problem is that the connection will be closed by
>> responseBodyConsumed() because shouldCloseConnection() will be true.
>>
>> Mike
>>
>> On Sunday, April 27, 2003, at 05:00 PM, Oleg Kalnichevski wrote:
>>
>>> On Sun, 2003-04-27 at 22:55, Michael Becke wrote:
>>>> The proxy seems to be sending a "Proxy-Connection: close" on the
>>>> first
>>>> try as well, even though you are using HTTP 1.1.
>>>>
>>>
>>> That's perfectly all right as the connection is supposed to be closed
>>> due to the failed authentication. This is a spec compliant behavior
>>> as
>>> far as I can tell
>>>
>>> Oleg
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail:
>>> commons-httpclient-dev-help@jakarta.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> commons-httpclient-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> commons-httpclient-dev-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to
closing of connection
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
That's clear. My assumption is that if HTTP version were 1.1 and NTLM
credentials were present the server would know that NTLM authentication
handshake were underway and the connection would not be closed. I still
have to test this assumption, though.
Oleg
On Sun, 2003-04-27 at 23:22, Michael Becke wrote:
> The problem is that the connection will be closed by
> responseBodyConsumed() because shouldCloseConnection() will be true.
>
> Mike
>
> On Sunday, April 27, 2003, at 05:00 PM, Oleg Kalnichevski wrote:
>
> > On Sun, 2003-04-27 at 22:55, Michael Becke wrote:
> >> The proxy seems to be sending a "Proxy-Connection: close" on the first
> >> try as well, even though you are using HTTP 1.1.
> >>
> >
> > That's perfectly all right as the connection is supposed to be closed
> > due to the failed authentication. This is a spec compliant behavior as
> > far as I can tell
> >
> > Oleg
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > commons-httpclient-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > commons-httpclient-dev-help@jakarta.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org
>
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to closing of connection
Posted by Michael Becke <be...@u.washington.edu>.
The problem is that the connection will be closed by
responseBodyConsumed() because shouldCloseConnection() will be true.
Mike
On Sunday, April 27, 2003, at 05:00 PM, Oleg Kalnichevski wrote:
> On Sun, 2003-04-27 at 22:55, Michael Becke wrote:
>> The proxy seems to be sending a "Proxy-Connection: close" on the first
>> try as well, even though you are using HTTP 1.1.
>>
>
> That's perfectly all right as the connection is supposed to be closed
> due to the failed authentication. This is a spec compliant behavior as
> far as I can tell
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> commons-httpclient-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> commons-httpclient-dev-help@jakarta.apache.org
>
Re: DO NOT REPLY [Bug 19226] - NTLM authentication failed due to
closing of connection
Posted by Oleg Kalnichevski <o....@dplanet.ch>.
On Sun, 2003-04-27 at 22:55, Michael Becke wrote:
> The proxy seems to be sending a "Proxy-Connection: close" on the first
> try as well, even though you are using HTTP 1.1.
>
That's perfectly all right as the connection is supposed to be closed
due to the failed authentication. This is a spec compliant behavior as
far as I can tell
Oleg