You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by bu...@apache.org on 2002/08/16 12:06:48 UTC
DO NOT REPLY [Bug 11763] New: -
HTTP Authentication not correctly handled
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11763>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11763
HTTP Authentication not correctly handled
Summary: HTTP Authentication not correctly handled
Product: Axis
Version: beta-3
Platform: PC
OS/Version: Windows NT/2K
Status: NEW
Severity: Normal
Priority: Other
Component: Basic Architecture
AssignedTo: axis-dev@xml.apache.org
ReportedBy: p.haensgen@intershop.de
After playing and debugging with the simple authentication handler
(org.apache.axis.handlers.SimpleAuthenticationHandler) I found out that:
- authentication only works if the client is a Java client, generated with
WSDL2Java
- authentication does NOT work if the client is a .NET client.
The reason is, in short, that Axis returns a "HTTP/1.1 500 Internal Server
Error" where it should return a "401 Unauthorized".
If authentication is required and the credentials are not part of the
request or wrong, a server normally responds with "HTTP/1.1 401
Unauthorized" and a header like "WWW-Authenticate: Basic realm="jaguar".
The client will repeat the request, but this time the necessary credentials
will be passed, e.g. "Authorization: Basic ABCDEFG"
If I use a Java client (generated with WSDL2Java), this challenge-response
does not take place, because the client immediately sends the credentials.
The server can process the request immediately.
With .NET as client, this is a different story. .NET does not send the
credentials immediately. It only sends the credentials if a 401 error was
received. But this is never happening, because Axis sends a 500 error.
Therefore, the simple authentication handler does not work with .NET.
Possible solution: The necessary code basically looks like this:
HttpServletResponse response = (HttpServletResponse) msgContext.getProperty(
HTTPConstants.MC_HTTP_SERVLETRESPONSE);
// not authorized, so request basic authentication
response.addHeader("WWW-Authenticate", "Basic realm=\"" + ... (some code for
the local realm, e.g. the machine name)... + '\"');
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
Possible workaround: Write your own authentication handler that is conform
with RFC 2617.