You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Yves Piel (Jira)" <ji...@apache.org> on 2022/08/10 08:42:00 UTC
[jira] [Commented] (CXF-8747) Digest authentication - support of qop="auth-int"
[ https://issues.apache.org/jira/browse/CXF-8747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577869#comment-17577869 ]
Yves Piel commented on CXF-8747:
--------------------------------
Maybe the issue comes from httpcomponents-client : [https://github.com/apache/httpcomponents-client/blob/18fa09f6a2d760b1c8ff0debb5bc04562dfe9ee1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java#L75]
Is that this client under the hood ?
> Digest authentication - support of qop="auth-int"
> -------------------------------------------------
>
> Key: CXF-8747
> URL: https://issues.apache.org/jira/browse/CXF-8747
> Project: CXF
> Issue Type: New Feature
> Reporter: Yves Piel
> Priority: Major
>
> Digest authentication has a parameter qop that can take 2 value 'auth' or 'auth-int': [https://www.rfc-editor.org/rfc/rfc7616.html]
> It seems cxf only support 'auth'. We can try with [https://httpbin.org/#/Auth/get_digest_auth__qop___user___passwd___algorithm_]
> {noformat}
> @ParameterizedTest
> @CsvSource({"auth,MD5",
> "auth,SHA-256",
> "auth,SHA-512",
> "auth-int,MD5",
> "auth-int,SHA-256",
> "auth-int,SHA-512",})
> public void digest(String qop, String algo){
> String myUser = "myUser";
> String myPassword = "myPassword";
> WebClient client = WebClient.create("https://httpbin.org/digest-auth/")
> .path("{qop}/{user}/{passwd}/{algorithm}", qop, myUser, myPassword, algo);
> HTTPConduit httpConduit = WebClient.getConfig(client).getHttpConduit();
> AuthorizationPolicy digestAuthPolicy = new AuthorizationPolicy();
> digestAuthPolicy.setUserName(myUser);
> digestAuthPolicy.setPassword(myPassword);
> digestAuthPolicy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_DIGEST);
> httpConduit.setAuthorization(digestAuthPolicy);
> Response response = client.invoke("GET", null);
> System.out.println(String.format("qop=%s, algo=%s => status: %s", qop, algo, response.getStatus())); // is 200 OK
> }
> {noformat}
> That generates this output:
> {noformat}
> qop=auth, algo=MD5 => status: 200
> qop=auth, algo=SHA-256 => status: 200
> qop=auth, algo=SHA-512 => status: 200
> qop=auth-int, algo=MD5 => status: 401
> qop=auth-int, algo=SHA-256 => status: 401
> qop=auth-int, algo=SHA-512 => status: 401
> {noformat}
> It could be great to support it.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)