You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2006/03/01 13:50:43 UTC
DO NOT REPLY [Bug 38818] New: - CONNECT fails with authentication Proxy
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
Summary: CONNECT fails with authentication Proxy
Product: HttpClient
Version: 3.0 Final
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Commons HttpClient
AssignedTo: httpclient-dev@jakarta.apache.org
ReportedBy: os@bos-bremen.de
Opening a HTTPS Connection over an authenticating Proxy (Basic auth. scheme)
fails, if proxy credentials are not provided at the first try.
The following example code will fail:
HttpClient client = new HttpClient(new MultiThreadedHttpConnectionManager());
URL url = new URL("https://examplehttpsurl");
//first try
GetMethod get = new GetMethod(url.toExternalForm());
HostConfiguration hc = new HostConfiguration();
hc.setHost(url.getHost(), 443, "https");
hc.setProxy("proxyhost", 4711);
try {
client.executeMethod(hc, get);
} catch (Exception e){
LOG.error("",e);
} finally {
get.releaseConnection();
}
//returns 407 (expected)
LOG.debug("Answer: " + get.getStatusLine().toString());
//retry with credentials (normally requested from the user)
client.getState().setProxyCredentials(new AuthScope("proxyhost",4711),
new NTCredentials("USER", "PASS", "", ""));
get = new GetMethod(url.toExternalForm());
try {
client.executeMethod(hc, get);
} catch (Exception e) {
e.printStackTrace();
} finally {
get.releaseConnection();
}
//should be 200 but is 407
LOG.debug("Answer: " + get.getStatusLine().toString());
----------
>From what I see from HttpMethodDirector.executeWithRetry(final
HttpMethod method), the cause is, that the connection is kept open, and
thus the connect is never retried:
if (!this.conn.isOpen()) {
// this connection must be opened before it can be used
// This has nothing to do with opening a secure tunnel
this.conn.open();
if (this.conn.isProxied() && this.conn.isSecure()
&& !(method instanceof ConnectMethod)) {
// we need to create a secure tunnel before we can execute the real method
if (!executeConnect()) {
// abort, the connect method failed
return;
}
}
}
If I add a conn.close() before returning on !executeConnect(), the
above code will work, the CONNECT is reattempted.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From olegk@apache.org 2006-03-01 14:20 -------
(In reply to comment #3)
> Oleg,
>
> Do you consider this a violation of the proxy protocol? I doubt that Squid is so
> bad at it.
No, I do not. This is clearly a problem on the HttpClient side
Or do we have a chance to catch this situation and close the
> connection anyway (ignoring the keep-alive header). We can always close a
> connection without violating the HTTP specs.
This is correct. HTTP connection may be closed at any point of time without any
prior notice. 'Connection' headers are purely informational. They imply no
mandatory action.
It should be technically possible to recover from this situation without
dropping the connection, but I would rather choose to incur a slight performance
hit by reopening the connection, if the recovery logic proves too complicated.
Otherwise, it is a one line fix
Oleg
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From odi@odi.ch 2006-03-01 14:08 -------
Oleg,
Do you consider this a violation of the proxy protocol? I doubt that Squid is so
bad at it. Or do we have a chance to catch this situation and close the
connection anyway (ignoring the keep-alive header). We can always close a
connection without violating the HTTP specs.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
olegk@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |major
Status|NEW |ASSIGNED
Summary|CONNECT fails with |Failed CONNECT leaves
|authentication Proxy |connection in an
| |inconsistent state
Target Milestone|--- |3.0.1
------- Additional Comments From olegk@apache.org 2006-03-01 14:03 -------
If CONNECT method fails (due to an authentication failure, for instance) and the
proxy requests the connection to be kept alive, the connection is returned back
to the connection manager in an inconsistent state (the connection is kept open
but the tunnel has not been established). This causes the subsequent methods
that reuse this connection generate invalid HTTP requests
Oleg
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From olegk@apache.org 2006-03-02 17:46 -------
Created an attachment (id=17821)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=17821&action=view)
Patch (take 1)
This should take care of the problem. Please review
Oleg
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From http-async@dubioso.net 2006-03-04 18:23 -------
I'm not familiar with all the details of the code,
but this change looks OK to me.
cheers,
Roland
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - CONNECT fails with authentication Proxy
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From os@bos-bremen.de 2006-03-01 13:52 -------
Created an attachment (id=17812)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=17812&action=view)
Wire log of the execution of the sample code
This is the wire log of the execution of the example code. Hostnames are
anonymized.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
olegk@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From olegk@apache.org 2006-03-06 09:44 -------
Patch checked in
Oleg
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From odi@odi.ch 2006-03-06 08:43 -------
Yeah, test case is dearly needed. It's a reoccuring issue that one of those
combinations of (proxy, SSL, auth(scheme) proxy, auth(scheme) server) breaks. I
am not very good at combinatorics, but there seem to be about ~32 possibilities
to combine those. It's very hard to achieve full test coverage of the possible
state space. I was thinking of refactoring the test suite so it can be run with
any combination of the above. But I guess that's something for another
summer-of-code...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From becke@u.washington.edu 2006-03-06 03:19 -------
Looks fine to me. We should probably add a test case if possible so this one
doesn't pop up again.
Mike
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From os@bos-bremen.de 2006-03-02 18:13 -------
(In reply to comment #5)
> Created an attachment (id=17821)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=17821&action=view) [edit]
> Patch (take 1)
>
> This should take care of the problem. Please review
>
> Oleg
Did work for me.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 38818] - Failed CONNECT leaves connection in an inconsistent state
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38818>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38818
------- Additional Comments From olegk@apache.org 2006-03-06 09:33 -------
(In reply to comment #9)
> Yeah, test case is dearly needed. It's a reoccuring issue that one of those
> combinations of (proxy, SSL, auth(scheme) proxy, auth(scheme) server) breaks. I
> am not very good at combinatorics, but there seem to be about ~32 possibilities
> to combine those. It's very hard to achieve full test coverage of the possible
> state space. I was thinking of refactoring the test suite so it can be run with
> any combination of the above. But I guess that's something for another
> summer-of-code...
Odi,
I seriously doubt that refactoring of the test suite will help. It is HttpClient
that is in need of refactoring. Presently SSL tunneling, authentication,
redirects handling, connection persistence aspects are all inseparably coupled
in the HttpMethodDirector and cannot be adequately unit-tested.
I considered writing a test case for this bug, and decided to not ivest time
into that, as I do not see a good way to test the bug independently from the
underlying connection manager (the connection manager would have to return THE
SAME connection for the test case to be meaningful). Essentially the test case
would test the assumptions of the inner working of the connection manager rather
than SSL tunneling code
Oleg
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org