You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Christof Harnischmacher (JIRA)" <ji...@apache.org> on 2009/03/10 14:58:51 UTC
[jira] Created: (CXF-2100) Digest auth is broken
Digest auth is broken
---------------------
Key: CXF-2100
URL: https://issues.apache.org/jira/browse/CXF-2100
Project: CXF
Issue Type: Bug
Components: Transports
Affects Versions: 2.2
Reporter: Christof Harnischmacher
When trying to connect to virtualearth webservice using cxf I found some issues
in the cxf-rt-transports-http artifact regarding digest authentication
1) "authSupplier" configuration option is missing in org.apache.cxf.transport
.http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
possible to configure a DigestAuthSupplier via cxf.xml.
2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
returns the username and vice versa.
3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
always send to server even it was NULL, which results in 'opaque="null"'.
RFC 2069 says:
opaque
A string of data, specified by the server, which should be
returned by the client unchanged. It is recommended that this
string be base64 or hexadecimal data. This field is a
"quoted-string" as specified in section 2.2 of the HTTP/1.1
specification [2].
So I think the correct handling is to skip the opaque field, when no opaque-field
was sent by the server.
4) After a while the nonce may become stale, so a new digest has to be created.
To achieve that, every request against an digest authenticated server needs to be
cached and chunking has to be disabled to replay the request whith recalculated
digest.
5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
an authSupplier is present and a authString was generated, the method should return
even when the authString is NULL, instead of creating a basic auth authorization
header.
I included patches, which allow me to connect against virtualearth token service.
The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
but you have to be authenticated to get it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-2100) Digest auth is broken
Posted by "Christof Harnischmacher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christof Harnischmacher updated CXF-2100:
-----------------------------------------
Attachment: digest-auth.patch
Added patches.
> Digest auth is broken
> ---------------------
>
> Key: CXF-2100
> URL: https://issues.apache.org/jira/browse/CXF-2100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.1.4, 2.2
> Reporter: Christof Harnischmacher
> Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
> A string of data, specified by the server, which should be
> returned by the client unchanged. It is recommended that this
> string be base64 or hexadecimal data. This field is a
> "quoted-string" as specified in section 2.2 of the HTTP/1.1
> specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-2100) Digest auth is broken
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-2100.
------------------------------
Resolution: Fixed
Fix Version/s: 2.1.5
2.2
Patch applied. Major thanks.
The only change I made was to add a flag to the base HttpAuthSupplier to allow any subclass to specify whether they need the request caching or not. That eliminates the "instanceof DigestAuthSupplier" in the conduit and also allows us to do the same if we implement NTLM auth later on as that will also need request caching.
> Digest auth is broken
> ---------------------
>
> Key: CXF-2100
> URL: https://issues.apache.org/jira/browse/CXF-2100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.1.4, 2.2
> Reporter: Christof Harnischmacher
> Assignee: Daniel Kulp
> Fix For: 2.2, 2.1.5
>
> Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
> A string of data, specified by the server, which should be
> returned by the client unchanged. It is recommended that this
> string be base64 or hexadecimal data. This field is a
> "quoted-string" as specified in section 2.2 of the HTTP/1.1
> specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-2100) Digest auth is broken
Posted by "Christof Harnischmacher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christof Harnischmacher updated CXF-2100:
-----------------------------------------
Affects Version/s: 2.1.4
> Digest auth is broken
> ---------------------
>
> Key: CXF-2100
> URL: https://issues.apache.org/jira/browse/CXF-2100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.1.4, 2.2
> Reporter: Christof Harnischmacher
> Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
> A string of data, specified by the server, which should be
> returned by the client unchanged. It is recommended that this
> string be base64 or hexadecimal data. This field is a
> "quoted-string" as specified in section 2.2 of the HTTP/1.1
> specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CXF-2100) Digest auth is broken
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp reassigned CXF-2100:
--------------------------------
Assignee: Daniel Kulp
> Digest auth is broken
> ---------------------
>
> Key: CXF-2100
> URL: https://issues.apache.org/jira/browse/CXF-2100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.1.4, 2.2
> Reporter: Christof Harnischmacher
> Assignee: Daniel Kulp
> Attachments: digest-auth.patch
>
>
> When trying to connect to virtualearth webservice using cxf I found some issues
> in the cxf-rt-transports-http artifact regarding digest authentication
> 1) "authSupplier" configuration option is missing in org.apache.cxf.transport
> .http.spring.HttpConduitBeanDefinitionParser#mapSpecificElements, so it's not
> possible to configure a DigestAuthSupplier via cxf.xml.
> 2) In org.apache.cxf.transport.http.DigestAuthSupplier the method getPassword
> returns the username and vice versa.
> 3) In org.apache.cxf.transport.http.DigestAuthSupplier the 'opaque' field is
> always send to server even it was NULL, which results in 'opaque="null"'.
> RFC 2069 says:
> opaque
> A string of data, specified by the server, which should be
> returned by the client unchanged. It is recommended that this
> string be base64 or hexadecimal data. This field is a
> "quoted-string" as specified in section 2.2 of the HTTP/1.1
> specification [2].
> So I think the correct handling is to skip the opaque field, when no opaque-field
> was sent by the server.
> 4) After a while the nonce may become stale, so a new digest has to be created.
> To achieve that, every request against an digest authenticated server needs to be
> cached and chunking has to be disabled to replay the request whith recalculated
> digest.
> 5) org.apache.cxf.transport.http.HTTPConduit#setHeadersByAuthorizationPolicy: If
> an authSupplier is present and a authString was generated, the method should return
> even when the authString is NULL, instead of creating a basic auth authorization
> header.
> I included patches, which allow me to connect against virtualearth token service.
> The wsdl can be found here: https://staging.common.virtualearth.net/find-30/common.asmx?WSDL,
> but you have to be authenticated to get it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.