You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by bu...@apache.org on 2002/08/16 12:06:48 UTC

DO NOT REPLY [Bug 11763] New: - HTTP Authentication not correctly handled

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11763>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11763

HTTP Authentication not correctly handled

           Summary: HTTP Authentication not correctly handled
           Product: Axis
           Version: beta-3
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Basic Architecture
        AssignedTo: axis-dev@xml.apache.org
        ReportedBy: p.haensgen@intershop.de


After playing and debugging with the simple authentication handler 
(org.apache.axis.handlers.SimpleAuthenticationHandler) I found out that:
- authentication only works if the client is a Java client, generated with 
WSDL2Java
- authentication does NOT work if the client is a .NET client.

The reason is, in short, that Axis returns a "HTTP/1.1 500 Internal Server
Error" where it should return a "401 Unauthorized".

If authentication is required and the credentials are not part of the
request or wrong, a server normally responds with "HTTP/1.1 401
Unauthorized" and a header like "WWW-Authenticate: Basic realm="jaguar".
The client will repeat the request, but this time the necessary credentials
will be passed, e.g. "Authorization: Basic ABCDEFG"

If I use a Java client (generated with WSDL2Java), this challenge-response
does not take place, because the client immediately sends the credentials.
The server can process the request immediately.

With .NET as client, this is a different story. .NET does not send the
credentials immediately. It only sends the credentials if a 401 error was
received. But this is never happening, because Axis sends a 500 error.
Therefore, the simple authentication handler does not work with .NET.

Possible solution: The necessary code basically looks like this:

HttpServletResponse response = (HttpServletResponse) msgContext.getProperty(
    HTTPConstants.MC_HTTP_SERVLETRESPONSE);

// not authorized, so request basic authentication
response.addHeader("WWW-Authenticate", "Basic realm=\"" + ... (some code for 
the local realm, e.g. the machine name)... + '\"');

response.sendError(HttpServletResponse.SC_UNAUTHORIZED);


Possible workaround: Write your own authentication handler that is conform
with RFC 2617.