You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Volker Jung (JIRA)" <ji...@apache.org> on 2019/01/15 09:25:00 UTC

[jira] [Updated] (HTTPCLIENT-1961) Authentication ignores cookies

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1961?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Volker Jung updated HTTPCLIENT-1961:
------------------------------------
    Description: 
A cookie received in a 401 'Unauthorized' response does not get processed.

I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients. The flow is as follows:
 * The original request gets redirected (302 'Moved temporarily') to an URL of an authentication service.
 * The authentication service respondes with a 401 'Unauthorized' response, containing the authentication challenge ('Negotiate' scheme) and a cookie with a JSessionId.
 * The HTTP-Client handles the authentication challenge, adding the authentication response header, but does not process the cookie therefore not adding the cookie to the response.

As a consequence, the authentication service does not handle the authentication response and the connection is running into timeout.

As far as I understand the code, the problem might be that the authentication handling is done solely in class 'MainClientExec', while the processing of request- and response-interceptors takes place in 'ProtocolExec' which decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing cookies is done through interceptors (ResponseProcessCookies, ResponseAddCookies), cookies of 401 'Unauthorized' responses are never processed.

  was:
A cookie received in a 401 'Unauthorized' response does not get processed.

I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients. The flow is as follows:
 * The original request gets redirected (302 'Moved temporarily') to an URL of an authentication service.
 * The authentication service respondes with a 401 'Unauthorized' response, containing the authentication challenge ('Negotiate' scheme) and a cookie with a JSessionId.
 * The HTTP-Client handles the authentication challenge, adding the authentication response header, but does not process the cookie therefore not adding the cookie to the response.

As a consequence, the authentication service does not handle the authentication response and the connection is running into timeout.

As far as I understand the code, the problem might be that the authentication handling is done solely in class 'MainClientExec', while the processing of request- and response-interceptors takes place in 'ProtocolExec' which decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing cookies is done via aa response-interceptor, cookies of 401 'Unauthorized' responses are never processed.


> Authentication ignores cookies
> ------------------------------
>
>                 Key: HTTPCLIENT-1961
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1961
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic), HttpClient (Windows)
>    Affects Versions: 4.5.6
>            Reporter: Volker Jung
>            Priority: Major
>
> A cookie received in a 401 'Unauthorized' response does not get processed.
> I am trying to get SSO (using 'Negotiate' scheme) working using WinHttpClients. The flow is as follows:
>  * The original request gets redirected (302 'Moved temporarily') to an URL of an authentication service.
>  * The authentication service respondes with a 401 'Unauthorized' response, containing the authentication challenge ('Negotiate' scheme) and a cookie with a JSessionId.
>  * The HTTP-Client handles the authentication challenge, adding the authentication response header, but does not process the cookie therefore not adding the cookie to the response.
> As a consequence, the authentication service does not handle the authentication response and the connection is running into timeout.
> As far as I understand the code, the problem might be that the authentication handling is done solely in class 'MainClientExec', while the processing of request- and response-interceptors takes place in 'ProtocolExec' which decorates 'MainClientExec' (as build by HttpClientBuilder). Since processing cookies is done through interceptors (ResponseProcessCookies, ResponseAddCookies), cookies of 401 'Unauthorized' responses are never processed.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org