You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Kevin Linke (JIRA)" <ji...@apache.org> on 2010/11/03 10:12:28 UTC

[jira] Updated: (CXF-3100) HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response

     [ https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Linke updated CXF-3100:
-----------------------------

    Attachment: HTTPConduit.diff

Hi Willem,

I added a diff file as requested. If you need another format or if you have trouble with the file (I created this on windows xp) please let me know.

Please note that this patch is based on the cxf 2.2.9 sources!

Thanks,
Kevin

> HTTPConduit doesn't handle cookies when retransmitting in case of "401 Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
>                 Key: CXF-3100
>                 URL: https://issues.apache.org/jira/browse/CXF-3100
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>            Reporter: Kevin Linke
>            Assignee: Willem Jiang
>         Attachments: HTTPConduit.diff, HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and tries to establish a cookie-based session with the client. So the response to the first request is always a "401 Unauthorized" response including a "Set-Cookie" header, even if the first request already contains the basic authentication header with the correct credentials. The request is only accepted if both the basic authentication header and the cookie header with the cookie from the "401 Unauthorized" response are set. 
> Calling the web service using SoapUI works fine. You can see in the log the initial request, the 401 reponse including the "Set-Cookie" header and the retransmitted request with the corresponding cookie header set, resulting in a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit -> 401 and so on) until a protocol exception is thrown (too many retransmits/redirects). The reason is that the expected cookie header is not set when retransmitting the request, even if the parameter "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the org.apache.cxf.transport.http.HTTPConduit class I found out that when retransmitting in case of 301,302 or 401 reponses the part of the code evaluating the "Set-Cookie" headers of the response is never reached, which is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class (see attachment) so that it works now with the specified scenario. Is it possible to fix this overall issue in a future release? 
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are labeled "// KLI:"
> Thanks,
> Kevin

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.