You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Yves Piel (Jira)" <ji...@apache.org> on 2022/08/10 08:42:00 UTC

[jira] [Commented] (CXF-8747) Digest authentication - support of qop="auth-int"

    [ https://issues.apache.org/jira/browse/CXF-8747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17577869#comment-17577869 ] 

Yves Piel commented on CXF-8747:
--------------------------------

Maybe the issue comes from httpcomponents-client : [https://github.com/apache/httpcomponents-client/blob/18fa09f6a2d760b1c8ff0debb5bc04562dfe9ee1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/DigestScheme.java#L75]

 

Is that this client under the hood ?

> Digest authentication - support of qop="auth-int"
> -------------------------------------------------
>
>                 Key: CXF-8747
>                 URL: https://issues.apache.org/jira/browse/CXF-8747
>             Project: CXF
>          Issue Type: New Feature
>            Reporter: Yves Piel
>            Priority: Major
>
> Digest authentication has a parameter qop that can take 2 value 'auth' or 'auth-int': [https://www.rfc-editor.org/rfc/rfc7616.html]
> It seems cxf only support 'auth'. We can try with [https://httpbin.org/#/Auth/get_digest_auth__qop___user___passwd___algorithm_]
> {noformat}
>     @ParameterizedTest
>     @CsvSource({"auth,MD5",
>             "auth,SHA-256",
>             "auth,SHA-512",
>             "auth-int,MD5",
>             "auth-int,SHA-256",
>             "auth-int,SHA-512",})
>     public void digest(String qop, String algo){
>         String myUser = "myUser";
>         String myPassword = "myPassword";
>         WebClient client = WebClient.create("https://httpbin.org/digest-auth/")
>                 .path("{qop}/{user}/{passwd}/{algorithm}", qop, myUser, myPassword, algo);
>         HTTPConduit httpConduit = WebClient.getConfig(client).getHttpConduit();
>         AuthorizationPolicy digestAuthPolicy = new AuthorizationPolicy();
>         digestAuthPolicy.setUserName(myUser);
>         digestAuthPolicy.setPassword(myPassword);
>         digestAuthPolicy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_DIGEST);
>         httpConduit.setAuthorization(digestAuthPolicy);
>         Response response = client.invoke("GET", null);
>         System.out.println(String.format("qop=%s, algo=%s => status: %s", qop, algo, response.getStatus())); // is 200 OK
>     }
> {noformat}
> That generates this output:
> {noformat}
> qop=auth, algo=MD5 => status: 200
> qop=auth, algo=SHA-256 => status: 200
> qop=auth, algo=SHA-512 => status: 200
> qop=auth-int, algo=MD5 => status: 401
> qop=auth-int, algo=SHA-256 => status: 401
> qop=auth-int, algo=SHA-512 => status: 401
> {noformat}
> It could be great to support it.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)