You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Javi Mármol (JIRA)" <ji...@apache.org> on 2017/03/13 10:22:04 UTC
[jira] [Comment Edited] (CXF-7170) Support Multiple
WWW-Authenticate Headers
[ https://issues.apache.org/jira/browse/CXF-7170?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907113#comment-15907113 ]
Javi Mármol edited comment on CXF-7170 at 3/13/17 10:21 AM:
------------------------------------------------------------
Same problem. Any feedback about that? Thx in advance.
We use 2.7.7 but I was looking for in source code of 3.0.1 and I found the same code than 2.7.7.
We are thinking to apply a patch to discriminate with the AuthoritationPolicy.AuthoritationType instated of substring on HttpAuthHeader(String fullHeader) constructor on HttpAuthHeader class.
was (Author: jmarmol):
Same problem. Any feedback about that? Thx in advance.
> Support Multiple WWW-Authenticate Headers
> -----------------------------------------
>
> Key: CXF-7170
> URL: https://issues.apache.org/jira/browse/CXF-7170
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 3.1.8
> Reporter: Silvan Hollenstein
>
> When the authorization type "Digest" is chosen, and the server responds with a 401 and multiple WWW-Authenticate headers, this will most probably lead to an error.
> Define Digest to be your authentication method:
> ...
> AuthorizationPolicy authPolicy = new AuthorizationPolicy();
> authPolicy.setAuthorizationType("Digest");
> ...
> The HTTPConduit will then create a DigestAuthSupplier. In...
> ----------------------------------------------------------
> DigestAuthSupplier.getAuthorization(...) {
> ...
> HttpAuthHeader authHeader = new HttpAuthHeader(fullHeader);
> if (authHeader.authTypeIsDigest()) {
> ...
> }
> }
> ----------------------------------------------------------
> fullHeader will be (because two headers):
> 'Basic realm="...", Digest realm="...", nonce="0058a704Y936...", stale=FALSE, qop="auth"'
> the authHeader will have the "Basic", because it is the first in fullHeader. But this does not match of course with authHeader.authTypeIsDigest(), and then it will return null.
> The actual wrong thing is, imo, that the fullHeader is concatenated, instead of choosing the one auth header that matches the method we have defined. Maybe HttpAuthHeader should hold a list of headers instead of concatenating them.
> Furthermore, it would be nice when the suppliers were chosen automatically, based on what authentication methods the server offers.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)