You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by bu...@apache.org on 2005/10/04 22:49:09 UTC

DO NOT REPLY [Bug 36918] New: - Digest auth using CONNECT to IAS fails

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36918>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36918

           Summary: Digest auth using CONNECT to IAS fails
           Product: HttpClient
           Version: 3.0 RC1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Keywords: RFC
          Severity: major
          Priority: P2
         Component: Commons HttpClient
        AssignedTo: httpclient-dev@jakarta.apache.org
        ReportedBy: ender3rd@gmail.com


I'm having a problem getting httpclient-rc1 to authenticate using
digest to our IAS server.  I've tried upgrading to rc3 without any
effect.  I also got our IT guys to upgrade IAS without luck.  I was
also able to have the GET method work under IAS and CONNECT to work
with a couple other proxy servers.  After examining ethereal logs for
my (commons) code and firefox to the same URLs I noticed that the
value for the "uri" setting in the "Proxy-Authorization" header was
the only significant difference.  After looking at RFC 2617 I noticed
that in section 3.2.2 (The Authorization Request Header) it states:

digest-uri
The URI from Request-URI of the Request-Line; duplicated here because
proxies are allowed to change the Request-Line in transit.

A re-examination of the headers showed that firefox was matching the Request-URI
with the digest-uri but that httpclient was not.  I reproduced partial headers
below.  I tried modifying the RC3 source to produce a hard-coded value for "uri"
and demonstrated that it would successfully authenticate to that URI.  I also
checked that authentication would fail to any other URI and it did.

partial httpclient header (fails with 407):
CONNECT gmail.google.com:443 HTTP/1.1
Proxy-Authorization: Digest username="proxytest", realm="Digest",
nonce="503902c343c8c501057a85cea6bad2734378fb44b4cbd1970bf320637871dae85373082cf70ac254",
uri="/", response="7717d0738332a3d8e83e9102b5ead6b9", qop="auth", nc=00000001,
cnonce="583aa0469b31290dc2acd7ec6cfc98f1", algorithm="MD5-sess",
opaque="bb319760fce84856e5648d3536502d81"

partial firefox header (succeeds with 200):
CONNECT mail1.combrio.local:443 HTTP/1.1
Proxy-Authorization: Digest username="proxytest", realm="Digest",
nonce="0e61fe645ec8c5015aa3afe8cfe5219488ed473e277a8cddf8225ad66e74fd214f97d9d96ac99991",
uri="mail1.combrio.local:443", algorithm=MD5-sess,
response="bfac109287273e867531170475172ccf",
opaque="70cb2a1533b85882d0f1aa1e2ad1fbae", qop=auth, nc=00000001,
cnonce="b41aecd6e527e774"

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org