You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Javi Mármol (JIRA)" <ji...@apache.org> on 2017/03/13 10:22:04 UTC

[jira] [Comment Edited] (CXF-7170) Support Multiple WWW-Authenticate Headers

    [ https://issues.apache.org/jira/browse/CXF-7170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907113#comment-15907113 ] 

Javi Mármol edited comment on CXF-7170 at 3/13/17 10:21 AM:
------------------------------------------------------------

Same problem. Any feedback about that? Thx in advance. 

We use 2.7.7 but I was looking for in source code of 3.0.1 and I found the same code than 2.7.7.

We are thinking to apply a patch to discriminate with the AuthoritationPolicy.AuthoritationType instated of substring on HttpAuthHeader(String fullHeader) constructor on HttpAuthHeader class.


was (Author: jmarmol):
Same problem. Any feedback about that? Thx in advance.

> Support Multiple WWW-Authenticate Headers
> -----------------------------------------
>
>                 Key: CXF-7170
>                 URL: https://issues.apache.org/jira/browse/CXF-7170
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 3.1.8
>            Reporter: Silvan Hollenstein
>
> When the authorization type "Digest" is chosen, and the server responds with a 401 and multiple WWW-Authenticate headers, this will most probably lead to an error.
> Define Digest to be your authentication method:
> ...
> AuthorizationPolicy authPolicy = new AuthorizationPolicy();
> authPolicy.setAuthorizationType("Digest");
> ...
> The HTTPConduit will then create a DigestAuthSupplier. In... 
> ----------------------------------------------------------
> DigestAuthSupplier.getAuthorization(...) {
> ...
> HttpAuthHeader authHeader = new HttpAuthHeader(fullHeader);
>  if (authHeader.authTypeIsDigest()) {
> ...
> }
> }
> ----------------------------------------------------------
> fullHeader will be (because two headers):
> 'Basic realm="...", Digest realm="...", nonce="0058a704Y936...", stale=FALSE, qop="auth"'
> the authHeader will have the "Basic", because it is the first in fullHeader. But this does not match of course with authHeader.authTypeIsDigest(), and then it will return null.
> The actual wrong thing is, imo, that the fullHeader is concatenated, instead of choosing the one auth header that matches the method we have defined. Maybe HttpAuthHeader should hold a list of headers instead of concatenating them.
> Furthermore, it would be nice when the suppliers were chosen automatically, based on what authentication methods the server offers.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)